Skip to content

Latest commit

 

History

History
649 lines (517 loc) · 30.8 KB

File metadata and controls

649 lines (517 loc) · 30.8 KB

Configure HTTP, TCP, or SSL profiles on Netscaler

Configurations such as, HTTP, TCP, or SSL for a Netscaler appliance can be specified using individual entities such as HTTP profile, TCP profile, or SSL profile respectively. The profile is a collection of settings pertaining to the individual protocols, for example, HTTP profile is a collection of HTTP settings. It offers ease of configuration and flexibility. Instead of configuring the settings on each entity you can configure them in a profile and bind the profile to all the entities that the settings apply to.

Netscaler ingress controller enables you to configure HTTP, TCP, or SSL related configuration on the Ingress Netscaler using profiles.

Understand Netscaler configuration in Kubernetes environment

In a Kubernetes environment, the Ingress Netscaler uses Content Switching (CS) virtual server as the front end for external traffic. That is, it is the entity that receives the requests from the client. After processing the request, the CS virtual server passes the request data to a load balancing (LB) entity. The LB virtual server and the associated service group processes the request data and then forwards it to the appropriate app (microservice).

You need to have a separate front end configuration for the entities that receive the traffic from the client (highlighted as Client Plane in the diagram) and a back end configuration for the entities that forward the traffic from the Netscaler to the microservices in Kubernetes (highlighted as Server Plane in the diagram).

Netscaler configuration

The Netscaler ingress controller provides individual smart annotations for the front end and back-end configurations that you can use based on your requirement.

HTTP profile

An HTTP profile is a collection of HTTP settings. A default HTTP profile (nshttp_default_profile) is configured to set the HTTP configurations that are applied by default, globally to all services and virtual servers.

The Netscaler ingress controller provides the following two smart annotations for HTTP profile. You can use these annotations to define the HTTP settings for the Netscaler. When you deploy an ingress that includes these annotations, the Netscaler ingress controller creates an HTTP profile derived from the default HTTP profile (nshttp_default_profile) configured on the Netscaler. Then, it applies the parameters that you have provided in the annotations to the new HTTP profile and applies the profile to the Netscaler.

Smart annotation Description Sample
ingress.citrix.com/frontend-httpprofile Use this annotation to create the front-end HTTP profile (Client Plane) ingress.citrix.com/frontend-httpprofile: '{"dropinvalreqs":"enabled", "websocket" : "enabled"}'
ingress.citrix.com/backend-httpprofile Use this annotation to create the back-end HTTP profile (Server Plane).
Note: Ensure that you manually enable the HTTP related global parameters on the Netscaler.
For example, to use HTTP2 at the back end (Server Plane), ensure that you can enable HTTP2Serverside global parameter in the Netscaler. For more information, see Configurating HTTP2.
ingress.citrix.com/backend-httpprofile: '{"app-1": {"dropinvalreqs":"enabled", "websocket" : "enabled"}}'

TCP profile

A TCP profile is a collection of TCP settings. A default TCP profile (nstcp_default_profile) is configured to set the TCP configurations that is applied by default, globally to all services and virtual servers.

The Netscaler ingress controller provides the following two smart annotations for TCP profile. You can use these annotations to define the TCP settings for the Netscaler. When you deploy an ingress that includes these annotations, the Netscaler ingress controller creates a TCP profile derived from the default TCP profile (nstcp_default_profile) configured on the Netscaler. Then, it applies the parameters that you have provided in the annotations to the new TCP profile and applies the profile to the Netscaler.

Smart annotation Description Sample
ingress.citrix.com/frontend-tcpprofile Use this annotation to create the front-end TCP profile (Client Plane) ingress.citrix.com/frontend-tcpprofile: '{"ws":"enabled", "sack" : "enabled"}'
ingress.citrix.com/backend-tcpprofile Use this annotation to create the back-end TCP profile (Server Plane) ingress.citrix.com/backend-tcpprofile: '{"citrix-svc":{"ws":"enabled", "sack" : "enabled"}}'

SSL profile

An SSL profile is a collection of settings for SSL entities. It offers ease of configuration and flexibility. Instead of configuring the settings on each entity, you can configure them in a profile and bind the profile to all the entities that the settings apply to.

Prerequisites

On the Netscaler, by default, SSL profile is not enable on the Ingress Netscaler. Ensure that you manually enable SSL profile on the Netscaler. Enabling the SSL profile overrides all the existing SSL related setting on the Netscaler, for detailed information on SSL profiles, see SSL profiles.

SSL profiles are classified into two categories:

  • Front end profiles, containing parameters applicable to the front-end entity. That is, they apply to the entity that receives requests from a client.
  • Back-end profiles, containing parameters applicable to the back-end entity. That is, they apply to the entity that sends client requests to a server.

Once you enable SSL profiles on the Netscaler, a default front end profile (ns_default_ssl_profile_frontend) is applied to the SSL virtual server and a default back-end profile (ns_default_ssl_profile_backend) is applied to the service or service group on the Netscaler.

The Netscaler ingress controller provides the following two smart annotations for SSL profile. You can use these annotations to customize the default front end profile (ns_default_ssl_profile_frontend) and back-end profile (ns_default_ssl_profile_backend) based on your requirement:

Smart annotation Description Sample
ingress.citrix.com/frontend-sslprofile Use this annotation to create the front end SSL profile (Client Plane). The front end SSL profile is required only if you have enabled TLS on the Client Plane. ingress.citrix.com/frontend-sslprofile: '{"hsts":"enabled", "tls12" : "enabled"}'
ingress.citrix.com/backend-sslprofile Use this annotation to create the back-end SSL profile (Server Plane). The SSL back end profile is required only if you use the ingress.citrix.com/secure-backend annotation for the back-end. ingress.citrix.com/backend-sslprofile: '{"citrix-svc":{"hsts":"enabled", "tls1" : "enabled"}}'

IMPORTANT: SSL profile does not enable you to configure SSL certificate.

Front-end profile configuration using annotations

HTTP, TCP, and SSL front-end profiles are attached to the client-side content switching virtual server or SSL virtual server. Since there can be multiple ingresses that use the same frontend-ip and also use the same content switching virtual server in the front-end, there can be possible conflicts that can arise from the front-end profiles annotation specified in multiple ingresses that share the front-end IP address.

The following are the guidelines for front-end profiles annotations for HTTP, TCP, and SSL.

  • For all ingresses with the same front-end IP address, it is recommended to have the same value for the front-end profile is specified in all ingresses.

  • If there are multiple ingresses that share front-end IP address, one can also create a separate ingress for each front-end IP address with empty rules (referred as the front-end ingress) where one can specify the front-end IP annotation as shown in the following example. You do not need to specify the front-end profile annotation in each ingress definition.

    • To create a front-end ingress for an HTTP type virtual server, see the following example:

        #Sample ingress manifest for the front-end configuration for an HTTP virtual server
        #The values for the parameters are for demonstration purpose only.
      
        ```
        apiVersion: networking.k8s.io/v1
        kind: Ingress
        metadata:
          name: frontend-ingress
          annotations:
          # /* The CS virtual server is derived from the combination of
        insecure-port/secure-port, frontend-ip, and
        secure-service-type/insecure-service-type annotations. */
            ingress.citrix.com/insecure-port: "80"
            ingress.citrix.com/frontend-ip: "x.x.x.x"
            ingress.citrix.com/frontend-httpprofile:'{"dropinvalreqs":"enabled", "markconnreqInval" : "enabled"}'
            ingress.citrix.com/frontend-tcpprofile: '{"ws":"enabled", "sack" :
        "enabled"}'
        spec:
          rules:
           # Empty rule
          - host:
        ```
      
    • To create a front-end ingress for SSL type service, see the following example:

        #Sample ingress manifest for the front-end configuration for an SSL virtual server
        #The values for the parameters are for demonstration purpose only.
      
        ```
        apiVersion: networking.k8s.io/v1
        kind: Ingress
        metadata:
          name: frontend-ingress
          annotations:
          #The CS virtual server is derived from the combination of
          #insecure-port/secure-port, frontend-ip, and
          #secure-service-type/insecure-service-type annotations.
            ingress.citrix.com/insecure-port: "80"
            ingress.citrix.com/secure-port: "443"
            ingress.citrix.com/frontend-ip: "x.x.x.x"
            ingress.citrix.com/frontend-sslprofile:
        '{"tls13":"enabled", "hsts" : "enabled"}'
            ingress.citrix.com/frontend-tcpprofile: '{"ws":"enabled", "sack" :
        "enabled"}'
        spec:
          rules:
          - host:
            #Presense of tls is considered as a secure service
          tls:
          - hosts:
        ```
      
  • If there are different values for the same front-end profile annotations in multiple ingresses, the following order is used to bind the profiles to the virtual server.

    • If any ingress definition has a front-end annotation with pre-configured profiles, that is bound to the virtual server.
    • Merge all the (key, values) from different ingresses of the same front-end IP address and use the resultant (key, value) for the front-end profiles smart annotation.
    • If there is a conflict for the same key due to different values from different ingresses, a value is randomly chosen and other values are ignored. You must avoid having conflicting values.
  • If there is no front-end profiles annotation specified in any of the ingresses which share the front-end IP address, then the global values from the ConfigMap that is FRONTEND_HTTP_PROFILE, FRONTEND_TCP_PROFILE, or FRONTEND_SSL_PROFILE is used for the HTTP, TCP, and SSL front-end profiles respectively.

Global front-end profile configuration using ConfigMap variables

The ConfigMap variable is used for the front-end profile if it is not overridden by front-end profiles smart annotation in one or more ingresses that shares a front-end IP address. If you need to enable or disable a feature using any front-end profile for all ingresses, you can use the variables FRONTEND_HTTP_PROFILE, FRONTEND_TCP_PROFILE, or FRONTEND_SSL_PROFILE for HTTP, TCP, and SSL profiles respectively. For example, if you want to enable TLS 1.3 for all SSL ingresses, you can use FRONTEND_SSL_PROFILE to set this value instead of using the smart annotation in each ingress definition. Refer ConfigMap documentation to know how to use configmap with Netscaler ingress controller.

Configuration using FRONTEND_HTTP_PROFILE

The FRONTEND_HTTP_PROFILE variable is used for setting the HTTP options for the front-end virtual server (client plane), unless overridden by the ingress.citrix.com/frontend-httpprofile smart annotation in the ingress definition.

To use an existing profile on Netscaler or use a built-in HTTP profile.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cic-configmap
  labels:
    app: citrix-ingress-controller
data:
  FRONTEND_HTTP_PROFILE: |
    preconfigured: my_http_profile

In the above example, my_http_profile is pre-existing HTTP profile in Netscaler

Alternatively, you can set the profile parameters as specified as follows. See the HTTP profile NITRO documentation for all possible key-values.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cic-configmap
  labels:
    app: citrix-ingress-controller
data:
  FRONTEND_HTTP_PROFILE: |
    config:
      dropinvalreqs: 'ENABLED'
      websocket: 'ENABLED'

Configuration using FRONTEND_TCP_PROFILE

The FRONTEND_TCP_PROFILE variable is used for setting the TCP options for the front-end virtual server (client side), unless overridden by the ingress.citrix.com/frontend-tcpprofile smart annotation in the ingress definition.

To use an existing profile on Netscaler or use a built-in TCP profile:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cic-configmap
  labels:
    app: citrix-ingress-controller
data:
  FRONTEND_TCP_PROFILE: |
    preconfigured: my_tcp_profile

In the above example, my_tcp_profile is pre-existing TCP profile in Netscaler

Alternatively, you can set the profile parameters as follows. See the Netscaler TCP profile NITRO documentation for all possible key values.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cic-configmap
  labels:
    app: citrix-ingress-controller
data:
  FRONTEND_TCP_PROFILE: |
    config:
      sack: 'ENABLED'
      nagle: 'ENABLED'

Configuration using FRONTEND_SSL_PROFILE

The FRONTEND_SSL_PROFILE variable is used for setting the SSL options for the front-end virtual server (client side) unless overridden by the ingress.citrix.com/frontend-sslprofile smart annotation in the ingress definition.

Note: For the SSL profile to work correctly, you must enable the default profile in Netscaler using the set ssl parameter -defaultProfile ENABLED command. Make sure that Netscaler ingress controller is restarted after enabling the default profile. The default profile is automatically enabled when Netscaler CPX is used as an ingress device. For more information about the SSL default profile, see the SSL profile documentation.

To use an existing profile on Netscaler or use a built-in SSL profile,

apiVersion: v1
kind: ConfigMap
metadata:
  name: cic-configmap
  labels:
    app: citrix-ingress-controller
data:
  FRONTEND_SSL_PROFILE: |
    preconfigured: my_ssl_profile

In the above example, my_ssl_profile is the pre-existing SSL profile in Netscaler.

Note: Default front end profile (ns_default_ssl_profile_frontend) is not supported using FRONTEND_SSL_PROFILE.preconfigured variable.

Alternatively, you can set the profile parameters as shown in the following example. See the SSL profile NITRO documentation for information on all possible key-values.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cic-configmap
  labels:
    app: citrix-ingress-controller
data:
  FRONTEND_SSL_PROFILE: |
    config:
      tls13: 'ENABLED'
      hsts: 'ENABLED'

The following example shows binding SSL cipher groups to the SSL profile. The order is as specified in the list with the higher priority is provided to the first in the list and so on. You can use any SSL ciphers available in Netscaler or user-created cipher groups in this field. For information about the list of cyphers available in the Netscaler, see Ciphers in Netscaler.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cic-configmap
  labels:
    app: citrix-ingress-controller
data:
  FRONTEND_SSL_PROFILE: |
    config:
      tls13: 'ENABLED'
      ciphers:
      - TLS1.3-AES256-GCM-SHA384
      - TLS1.3-CHACHA20-POLY1305-SHA256

Back-end configuration

Any ingress definition that includes service details, spec:rules:host, spec:backend entry, and so on are considered as back-end configuration.

Sample backend ingress manifest without TLS configuration:

#The values for the parameters are for demonstration purpose only.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
  # /* The CS virtual server is derived from the combination of insecure-port/secure-port, frontend-ip, and secure-service-type/insecure-service-type annotations. */
    ingress.citrix.com/backend-httpprofile: '{"apache":{"markhttp09inval": "disabled"}}'
    ingress.citrix.com/backend-tcpprofile: '{"apache":{"sack":"enabled"}}'
    ingress.citrix.com/frontend-ip: 'VIP_IP'
    ingress.citrix.com/insecure-port: "80"
  name: apache-ingress
spec:
  rules:
  - host: www.apachetest.com
    http:
      paths:
      - backend:
          service:
            name: apache
            port:
              number: 80
        path: /
        pathType: Prefix

Sample backend ingress manifest with TLS configuration:

#The values for the parameters are for demonstration purpose only.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
  # /* The CS virtual server is derived from the combination of insecure-port/secure-port, frontend-ip, and secure-service-type/insecure-service-type annotations. */
    ingress.citrix.com/backend-httpprofile: '{"hotdrink":{"markhttp09inval": "disabled"}}'
    ingress.citrix.com/backend-sslprofile: '{"hotdrink":{"snienable": "enabled"}}'
    ingress.citrix.com/backend-tcpprofile: '{"hotdrink":{"sack":"enabled"}}'
    ingress.citrix.com/frontend-ip: 'VIP_IP'
    ingress.citrix.com/secure-backend: '{"hotdrink":"true"}'
    ingress.citrix.com/secure-port: "443"
  name: hotdrink-ingress
spec:
  rules:
  - host: hotdrinks.beverages.com
    http:
      paths:
      - backend:
          service:
            name: hotdrink
            port:
              number: 443
        path: /
        pathType: Prefix
  tls:
  - secretName: hotdrink.secret

Using built-in or existing user-defined profiles on the Ingress Netscaler

You can use the individual smart annotations to configure the built-in profiles or existing user-defined profiles on the Ingress Netscaler for the front end and back-end configurations based on your requirement. For more information on built-in profiles, see Built-in TCP Profiles and Built-in HTTP profiles.

For the front end configuration, you can provide the name of the built-in or existing user-defined profiles on the Ingress Netscaler. The following is a sample ingress annotation:

ingress.citrix.com/frontend-httpprofile: "http_preconf_profile1"

Where, 'http_preconf_profile1' is the profile that exists on the Ingress Netscaler.

For the back-end configuration, you must provide the name of the built-in or existing profile on the Ingress Netscaler and the back-end service name. The following is a sample ingress annotation:

ingress.citrix.com/backend-httpprofile: '{"citrix-svc": "http_preconf_profile1"}'

Where, 'http_preconf_profile1' is the profile that exists on the Ingress Netscaler and citrix-svc is the back-end service name.

Sample HTTP profile:

ingress.citrix.com/frontend-httpprofile: "http_preconf_profile"
ingress.citrix.com/backend-httpprofile: '{"citrix-svc": "http_preconf_profile"}'

Sample TCP profile:

ingress.citrix.com/frontend-tcpprofile: "tcp_preconf_profile"
ingress.citrix.com/backend-tcpprofile: '{"citrix-svc":"tcp_preconf_profile"}'

Sample SSL profile:

ingress.citrix.com/frontend-sslprofile: "ssl_preconf_profile"
ingress.citrix.com/backend-sslprofile: '{"citrix-svc":"ssl_preconf_profile"}'

Example for applying HTTP, SSL, and TCP profiles

This example shows how to apply HTTP, SSL, or TCP profiles.

To create SSL, TCP, and HTTP profiles and bind them to the defined Ingress resource, perform the following steps:

  1. Define the front-end ingress resource with the required profiles. In this Ingress resource, back-end and TLS is not defined.

    A sample YAML (ingress1.yaml) is provided as follows:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        ingress.citrix.com/frontend-httpprofile: '{"dropinvalreqs":"enabled", "markconnreqInval" : "enabled"}'
        ingress.citrix.com/frontend-ip: 10.221.36.190
        ingress.citrix.com/frontend-sslprofile: '{"hsts":"enabled", "tls13" : "enabled"}'
        ingress.citrix.com/frontend-tcpprofile: '{"ws":"disabled", "sack" : "disabled"}'
        ingress.citrix.com/insecure-termination: allow
      name: ingress-vpx1
    spec:
      ingressClassName: vpx
      rules:
      - host: null
      tls:
      - hosts: null
    ---
    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: vpx
    spec:
      controller: citrix.com/ingress-controller
    ---
    
  2. Deploy the front-end ingress resource.

    kubectl create -f ingress1.yaml
    
  3. Define the secondary ingress resource with the same front-end IP address and TLS and the back-end defined which creates the load balancing resource definition.

    A sample YAML (ingress2.yaml) is provided as follows:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations: {}
      ingress.citrix.com/frontend-ip: 10.221.36.190
      ingress.citrix.com/insecure-termination: allow
      name: ingress-vpx2
    spec:
      ingressClassName: vpx
      rules:
      - host: hotdrink.beverages.com
        http:
          paths:
          - backend:
              serviceName: frontend-hotdrinks
              servicePort: 80
            path: null
      tls:
      - secretName: <hotdrink-secret>
    ---
    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: vpx
    spec:
      controller: citrix.com/ingress-controller
    ---
  4. Deploy the back-end ingress resource.

      kubectl create -f ingress2.yaml
    
  5. Once the YAMLs are applied the corresponding entities, profiles, and ingress resources are created and they were bound to the ingress resource.

     # show cs vserver <k8s150-10.221.36.190_443_ssl>
    
       k8s150-10.221.36.190_443_ssl (10.221.36.190:443) - SSL Type: CONTENT
       State: UP
       Last state change was at Thu Apr 22 20:14:44 2021
       Time since last state change: 0 days, 00:10:56.850
       Client Idle Timeout: 180 sec
       Down state flush: ENABLED
       Disable Primary Vserver On Down : DISABLED
       Comment: uid=QEYQI2LDW5WR4A6P3NSZ37XICKOJKV4HPEM2H4PSK4HWA3JQWCLQ====
       TCP profile name: k8s150-10.221.36.190_443_ssl
       HTTP profile name: k8s150-10.221.36.190_443_ssl
       Appflow logging: ENABLED
       State Update: DISABLED
       Default:   Content Precedence: RULE
       Vserver IP and Port insertion: OFF
       L2Conn: OFF Case Sensitivity: ON
       Authentication: OFF
       401 Based Authentication: OFF
       Push: DISABLED Push VServer:
       Push Label Rule: none
       Persistence: NONE
       Listen Policy: NONE
       IcmpResponse: PASSIVE
       RHIstate:  PASSIVE
       Traffic Domain: 0
    
       1)  Content-Switching Policy: k8s150-ingress-vpx1_tier-2-adc_443_k8s150-frontend-hotdrinks_tier-2-adc_80_svc    Priority: 200000004   Hits: 0
       Done
    

Example: Adding SNI certificate to an SSL virtual server

This example shows how to add a single SNI certificate.

Note: For the SSL profile to work correctly, you must enable the default profile in Netscaler using the set ssl parameter -defaultProfile ENABLED command. Make sure that Netscaler ingress controller is restarted after enabling default profile. For more information about the SSL default profile, see documentation.

  1. Define the front-end ingress resource with the required profiles. In this Ingress resource, back-end and TLS is not defined.

    A sample YAML (ingress1.yaml) is provided as follows:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        ingress.citrix.com/frontend-httpprofile: '{"dropinvalreqs":"enabled", "markconnreqInval"
          : "enabled"}'
        ingress.citrix.com/frontend-ip: 10.221.36.190
        ingress.citrix.com/frontend-sslprofile: '{"snienable": "enabled", "hsts":"enabled",
          "tls13" : "enabled"}'
        ingress.citrix.com/frontend-tcpprofile: '{"ws":"disabled", "sack" : "disabled"}'
        ingress.citrix.com/insecure-termination: allow
      name: ingress-vpx1
    spec:
      ingressClassName: vpx
      rules:
      - host: null
      tls:
      - hosts: null
    ---
    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: vpx
    spec:
      controller: citrix.com/ingress-controller
    ---
    
  2. Deploy the front-end ingress resource.

     kubectl create -f ingress1.yaml
    
  3. Define the secondary ingress resource with the same front-end IP address defining back-end as well as SNI certificates. If hosts are specified then the certkey specified as the secret name is added as the SNI certificate.

    A sample YAML (ingress2.yaml) is provided as follows:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        ingress.citrix.com/frontend-ip: 10.221.36.190
        ingress.citrix.com/insecure-termination: allow
      name: ingress-vpx2
    spec:
      ingressClassName: vpx
      rules:
      - host: hotdrink.beverages.com
        http:
          paths:
          - backend:
              serviceName: web
              servicePort: 80
            path: /
      tls:
      - hosts:
        - hotdrink.beverages.com
        secretName: hotdrink-secret
    ---
    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: vpx
    spec:
      controller: citrix.com/ingress-controller
    ---
  4. Deploy the secondary ingress resource.

      kubectl create -f ingress2.yaml
    

If multiple SNI certificates need to be bound to the front-end VIP, following is a sample YAML file.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.citrix.com/frontend-ip: 10.221.36.190
    ingress.citrix.com/insecure-termination: allow
  name: ingress-vpx-frontend
spec:
  ingressClassName: vpx
  rules:
  - host: hotdrink.beverages.com
    http:
      paths:
      - backend:
          serviceName: web
          servicePort: 80
        path: /
  - host: frontend.agiledevelopers.com
    http:
      paths:
      - backend:
          serviceName: frontend-developers
          servicePort: 80
        path: /
  tls:
  - hosts:
    - hotdrink.beverages.com
    secretName: hotdrink-secret
  - hosts:
    - frontend.agiledevelopers.com
    secretName: <frontend-secret>

---

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: vpx
spec:
  controller: citrix.com/ingress-controller

Example: Binding SSL cipher group

This example shows how to bind SSL cipher group.

Note: For the SSL profile to work correctly, you must enable the default profile in Netscaler using the set ssl parameter -defaultProfile ENABLED command. Make sure that Netscaler ingress controller is restarted after enabling default profile.

Set default SSL profile on Netscaler using the command set ssl parameter -defaultProfile ENABLED before deploying Netscaler ingress controller. If you have already deployed Netscaler ingress controller, then redeploy it. For more information about the SSL default profile, see documentation.

For information on supported Ciphers on the Netscaler appliances, see Ciphers available on the Netscaler appliances.

For information about securing cipher, see securing cipher.

A sample YAML (cat frontend_ingress.yaml) is provided as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.citrix.com/frontend-httpprofile: '{"dropinvalreqs":"enabled", "markconnreqInval"
      : "enabled"}'
    ingress.citrix.com/frontend-ip: 10.221.36.190
    ingress.citrix.com/frontend-sslprofile: '{"snienable": "enabled", "hsts":"enabled",
      "tls13" : "enabled", "ciphers" : [{"ciphername": "test", "cipherpriority" :"1"}]}'
    ingress.citrix.com/frontend-tcpprofile: '{"ws":"disabled", "sack" : "disabled"}'
    ingress.citrix.com/insecure-termination: allow
  name: ingress-vpx
spec:
  ingressClassName: citrix
  rules:
  - host: null
  tls:
  - hosts: null
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: citrix
spec:
  controller: citrix.com/ingress-controller
---