Jane interface
As microservice networks change and grow, their interactions can be difficult to manage and understand. This is why it is convenient to have the service grid as a separate infrastructure layer. A service grid is a way to process microservices on a large scale. It can handle routing and terminating traffic, monitoring and tracking, service delivery and routing, load balancing, circuit breaking, and mutual authentication. The service grid takes these components and makes them part of the infrastructure layer, eliminating the need for developers to write specific code to support these capabilities.
Istio is a popular open source service grid that is built into the Rancher Kubernetes management platform. This integration allows developers to focus on the business logic while Kubernetes and Istio solve the rest.
Citrix ADC (https://www.citrix.com/products/citrix-adc/platforms.html) is the monomer and the application of integrated application delivery services based on micro and load balancing solutions. Its advanced traffic management features improve application performance and provide comprehensive security. Citrix ADC is integrated with Istio as the Ingress gateway of the service grid environment and serves as a Sidecar proxy to control the communication between microservices. This integration allows you to rigorously protect and optimize traffic into and within microservices-based application environments. The Citrix ADC Ingress deployment is configured as a load balancer for the Kubernetes service. As a Sidecar Proxy, Citrix ADC handles service-to-service communication and makes this communication reliable, secure, observable, and manageable.
In this article, we will explore the integration of the Citrix ADC as the Istio Ingress gateway and Sidecar Proxy with the Istio service grid deployed on Rancher. We will introduce the new Catalog template for deploying the Citrix ADC as the Ingress Gateway and sidecar Proxy Injector.
The Rancher Catalog provides DevOps engineers with a UI platform to deploy and run applications with out-of-the-box capabilities such as monitoring, auditing, and logging. You can find the Citrix Istio Ingress gateway and sidecar injector in the Rancher Catalog.
Citrix ADC is used as the ingress gateway of Istio
Istio ingress The gateway serves as the entry point for incoming traffic and controls access to the service grid. It also performs routing and load balancing. Citrix ADC CPX, MPX, or VPX can be deployed as an Ingress gateway to control ingress traffic in the Istio service grid.
Citrix ADC MPX or VPX serves as the Ingress gateway
Citrix ADC VPX/MPX serves as the Ingress gateway in the Rancher Catalog
When Citrix ADC MPX/VPX is deployed as an Ingress Gateway device, the Istio-Adaptor container mainly runs in the POD managed by the Ingress Gateway deployment.
Citrix ADC CPX serves as the Istio Ingress gateway
When Citrix ADC CPX is deployed as the Ingress Gateway, both CPX and istio-Adaptor run as containers in the Ingress Gateway Pod.
Citrix ADC CPX is used as the Ingress gateway in the Rancher Catalog
Citrix Istio Adaptor
Citrix Istio Adaptor is open source software written in Go. Its main job is to automatically configure the Citrix ADC deployed in the Istio service grid. Components such as the Istio Pilot, Citadel, and Mixer make up the Istio control plane. Pilot provides service discovery for agents in the grid. It is essentially a gPRC×DS server that is responsible for configuring the agent at run time.
Istio-adaptor is the gRPC client of the xDS server and receives xDS resources such as clusters, listeners, routes, and endpoints from the xDS server over a secure gRPC channel. Upon receiving these resources, the Istio-Adaptor converts them into the same Citrix ADC configuration block and uses RESTful NITRO calls to configure the associated Citrix ADC. You can learn more about the Citrix Istio Adaptor by visiting the following links:
In the next section, we will set the Citrix ADC as a gateway and sidecar using the Rancher Catalog. Ingress Gateway describes a load balancer that runs at the edge of the grid and receives incoming connections. Sidecar Proxy is executed for monitoring, security, and resource allocation.
Rancher Catalog sets the Citrix ADC as the Istio Ingress gateway
preparation
To help you follow these steps, prepare the following:
- Rancher Deployment (you can get your Rancher up and running quickly via Quick Start on your website)
- A Kubernetes cluster managed by Rancher
- Enable Istio
- Make sure your cluster Kubernetes version in 1.14.0 and above and enable admissionregistration. K8s. IO/v1beta1 API
- Create a Kubernetes Secret for the Citrix ADC user name and password. In the navigation, go to Resources →Secrets.
steps
1. Log in to Rancher
Create a namespace named citrix-system
3, go to the cluster, then go to the project level, navigate to [App→Launch]
Search for Citrix in the search box
5. Click citrix-adC-istio-ingress-gateway.
Citrix ADC serves as the Ingress gateway of Istio in the Rancher Catalog
6. Click [Launch] to deploy Citrix ADC as the Ingress gateway
A) For Citrix ADC CPX: Set the following environment variables with specific values
- Citrix ADC CPX-true
- IngressGateway EULA – true
- IstioAdaptor. Tag – 1.2.0
B) For Citrix ADC MPX/VPX: Set the following environment variables:
- IstioAdaptor version: 1.2.0
- NetscalerUrl: Specifies the Citrix ADC IP address in the URL format
- VServer IP: Specifies an unused IP address for the Citrix ADC virtual server.
When you have updated the required variable values, click launch. Navigate to Apps and verify that citrix-IngressGateway is running.
A few points to keep in mind:
– If you want to expose multiple applications:
Set the exposeMutipleApps variable to true
- secretVolumes.name:
- secretVolumes.secretName:
- secretVolumes.mountPath:
– If you want to expose non-HTTP services (such as TCP-based applications) :
Set the exposeNonHttpService variable to true
- tcpPort.name:
- tcpPort.nodePort: . // applicable in case of Citrix ADC CPX
- tcpPort.Port:
- tcpPort.targetPort:
Citrix ADC serves as the sidecar of Istio
Citrix ADC CPX can serve as a Sidecar proxy for the application container in Istio. You can manually or automatically inject Citrix ADC CPX using the Istio Sidecar injector. Automatically inject the resources required by sidecar, including Kubernetes mutating Webhook Admission Controller and service. With Rancher Catalog, you can create the resources required to automatically deploy Citrix ADC CPX as a Sidecar Proxy.
Deploy the Citrix ADC as the Sidecar of Istio using the Rancher Catalog
preparation
Deploying the Citrix ADC as a sidecar in an application POD requires the following prerequisites:
- Ensure that Istio is enabled
- Make sure your cluster Kubernetes version in 1.14.0 and above and admissionregistration. K8s. IO/v1beta1 API has been enabled
- Perform the following steps to create the resources required for automatic Sidecar injection:
1. Download the webhook- creation-signed-cert. sh script
2. Change the script permission to executable mode
chmod +x webhook-create-signed-cert.sh
Create a signed certificate, key pair and store it in Kubernetes Secret.
./webhook-create-signed-cert.sh \
--service cpx-sidecar-injector \
--secret cpx-sidecar-injector-certs \
--namespace citrix-system
Important Note:
Do not enable Istio automatic injection on the application namespaces.
To automatically deploy Citrix ADC CPX as a sidecar in an application POD, the application namespace must be marked with cpx-injection=enabled.
Kubectl label namespace <application_namespace> cpx-injection=enabled
Steps:
1. Log in to Rancher
Create a namespace named citrix-system
3, enter the cluster, access the project level, navigate to [Apps→Launch]
Search for Citrix in the search box
5. Click Citrix-cpX-Istio-Sidecar-Injector
6, set environment variables:
A) IstioAdaptor version: 1.2.0
B) cpxProxy. EULA : YES
1. Update the values of the required variables and click Launch
2, navigate to Apps and verify that cpX-Sidecar-Injector is running
Use the Citrix ADC to access the sample application
You can find an example of deploying the sample Bookinfo application at:
https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio
- If Citrix ADC VPX/MPX is deployed as the ingress gateway, the service is accessed through the vServer IP address. (This detail is mentioned in step 6b of Citrix ADC VPX deployment as the Ingress gateway).
- If Citrix ADC CPX is deployed as the ingress gateway, services can be accessed through the INGress IP address and port. Visit this link to learn more:
https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio#verification
Important: To deploy Citrix ADC VPX or MPX as an ingress gateway, you should establish connections between Citrix ADC VPX or MPX and the cluster nodes. This connectivity can pass on the Citrix ADC mentioned routing configuration link (https://github.com/citrix/cit)… Or deploy the Citrix Node Controller.
Note: All images of Catalog are taken from Rancher V.2.4.4, which supports Istio 1.4.10 and Istio-Adaptor 1.2.0. Visit here to learn more about architecture:
https://github.com/citrix/cit…
Total knot
In this article, we have shown you how to configure the Ingress rules using the Citrix ADC Istio Ingress gateway and the Sidecar Proxy using the Citrix CPX Istio Sidecar. The gateway allows external traffic into the service grid and manages traffic for edge services. Citrix ADC is used as a sidecar for service-to-service communication and transparently routes all traffic for each service.
In this article, we deployed the Citrix ADC using the Helm chart in the Rancher Catalog with one click to get an intuitive feel for how the Rancher App Store makes it easy to deploy and configure applications.