Skip to content

Commit

Permalink
Merge pull request #673 from arijitra-citrix/master
Browse files Browse the repository at this point in the history
Reelase NSIC:2.2.10 and IPAM:2.0.1
  • Loading branch information
subashd authored Nov 15, 2024
2 parents 69d33b2 + 6245d8c commit 51ea8f9
Show file tree
Hide file tree
Showing 50 changed files with 461 additions and 54 deletions.
2 changes: 1 addition & 1 deletion canary/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ GitHub has many utilities available for integrating with other tools that form p

Following Citrix software versions are required for Citrix-Integrated Canary Deployment Solution:

- Netscaler ingress controller build/version: `quay.io/netscaler/netscaler-k8s-ingress-controller:2.1.4`.
- Netscaler ingress controller build/version: `quay.io/netscaler/netscaler-k8s-ingress-controller:2.2.10`.
- Netscaler CPX version: `quay.io/netscaler/netscaler-cpx:14.1-25.111`.
- Netscaler Metrics Exporter version: `quay.io/netscaler/netscaler-adc-metrics-exporter:1.4.9`.

Expand Down
2 changes: 1 addition & 1 deletion canary/manifest/cic-vpx.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ spec:
serviceAccountName: cpx
containers:
- name: cic-k8s-ingress-controller
image: "quay.io/netscaler/netscaler-k8s-ingress-controller:2.1.4"
image: "quay.io/netscaler/netscaler-k8s-ingress-controller:2.2.10"
env:
# Set NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)
- name: "NS_IP"
Expand Down
2 changes: 1 addition & 1 deletion canary/manifest/cpx-with-cic-sidecar.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: quay.io/netscaler/netscaler-k8s-ingress-controller:2.1.4
image: quay.io/netscaler/netscaler-k8s-ingress-controller:2.2.10
imagePullPolicy: Always
name: cic-k8s-ingress-controller
- args:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ The following table lists the mandatory and optional parameters that you can con
| Parameters | Mandatory or Optional | Default value | Description |
| --------- | --------------------- | ------------- | ----------- |
| license.accept | Mandatory | no | Set `yes` to accept the CIC end user license agreement. |
| image | Mandatory | `quay.io/netscaler/netscaler-k8s-ingress-controller:2.1.4` | The CIC image. |
| image | Mandatory | `quay.io/netscaler/netscaler-k8s-ingress-controller:2.2.10` | The CIC image. |
| pullPolicy | Mandatory | IfNotPresent | The CIC image pull policy. |
| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the Netscaler VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). |
| nsIP | Mandatory | N/A | The IP address of the Netscaler device. For details, see [Prerequisites](#prerequistes). |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# Declare variables to be passed into your templates.

# Netscaler ingress controller config details
image: quay.io/netscaler/netscaler-k8s-ingress-controller:2.1.4
image: quay.io/netscaler/netscaler-k8s-ingress-controller:2.2.10
pullPolicy: IfNotPresent
openshift: false
adcCredentialSecret:
Expand Down
200 changes: 200 additions & 0 deletions crd/icap/icap-crd-deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,200 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: icappolicies.citrix.com
spec:
group: citrix.com
names:
kind: icappolicy
plural: icappolicies
singular: icappolicy
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
additionalPrinterColumns:
- name: Status
type: string
description: "Current Status of the CRD"
jsonPath: .status.state
- name: Message
type: string
description: "Status Message"
jsonPath: .status.status_message
schema:
openAPIV3Schema:
type: object
properties:
status:
type: object
properties:
state:
type: string
status_message:
type: string
spec:
type: object
properties:
ingressclass:
description: "Ingress class, if not specified then all NetScaler ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource"
type: string
maxLength: 127
services:
type: array
description: 'Name of the services for which the icap policy needs to be bound'
items:
type: string
icap-servers:
type: object
description: "ICAP service for the ICAP server that will be part of the load balancing setup. The service that you add provides the ICAP connection between the NetScaler appliance and load balancing virtual servers."
properties:
servers:
type: array
items:
type: object
properties:
ip:
type: string
description: 'IP of the ICAP Server'
format: ipv4
port:
type: integer
description: 'Port number of the ICAP Server.'
minimum: 1
maximum: 65535
required:
- ip
- port
server-type:
type: string
description: 'Type of ICAP Server.'
enum: ['TCP', 'SSL_TCP']
default: 'SSL_TCP'
server_host_cert:
description: |+
'Name of the SSL certificate to be used with ICAP server.
This certificate is mandatory for server-type SSL_TCP'
type: object
properties:
tls_secret:
type: string
description: 'Name of the Kubernetes Secret of type tls referring to Certificate'
pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
preconfigured:
type: string
maxLength: 63
description: |+
'Preconfigured SSL certkey name on NetScaler with the
certificate and key already added on NetScaler'
oneOf:
- required: [tls_secret]
- required: [preconfigured]
required:
- servers
icap:
type: array
items:
type: object
properties:
preconfigured-profile:
description: 'Names of the preconfigured ICAP profile.'
type: string
maxLength: 127
direction:
description: 'ICAP Mode of operation. It is a mandatory argument while creating an icapprofile.'
type: string
enum: ['REQUEST','RESPONSE']
profile:
type: object
description: 'ICAP profile(s) of the NetScaler.'
properties:
preview:
description: 'Enable or Disable preview header with ICAP request. This feature allows an ICAP server to see the beginning of a transaction, then decide if it wants to opt-out of the transaction early instead of receiving the remainder of the request message.'
type: string
enum: ["ENABLED", "DISABLED"]
preview-length:
description: 'Value of Preview Header field. NetScaler uses the minimum of this set value and the preview size received on OPTIONS'
type: integer
minimum: 0
maximum: 4294967294
uri:
description: 'URI representing icap service. It is a mandatory argument while creating an icapprofile.'
type: string
maxLength: 511
host-header:
description: 'ICAP Host Header.'
type: string
maxLength: 255
user-agent-header:
description: 'ICAP User Agent Header'
type: string
maxLength: 255
query-params:
description: 'Query parameters to be included with ICAP request URI. Entered values should be in arg=value format. For more than one parameters, add & separated values. e.g.: arg1=val1&arg2=val2'
type: string
maxLength: 511
connection-keep-alive:
description: 'Enable or Disable sending Allow: 204 header in ICAP request.'
type: string
enum: ["ENABLED", "DISABLED"]
insert-icap-headers:
description: 'Insert custom ICAP headers in the ICAP request to send to ICAP server. The headers can be static or can be dynamically constructed using PI Policy Expression. For example, to send static user agent and Client''s IP address, the expression can be specified as "User-Agent: NS-ICAP-Client/V1.0r0-Client-IP: "+CLIENT.IP.SRC+"r0. The NetScaler does not check the validity of the specified header name-value. You must manually validate the specified header syntax.'
type: string
maxLength: 8191
insert-http-request:
description: 'Exact HTTP request, in the form of an expression, which the NetScaler encapsulates and sends to the ICAP server. If you set this parameter, the ICAP request is sent using only this header. This can be used when the HTTP header is not available to send or ICAP server only needs part of the incoming HTTP request. The request expression is constrained by the feature for which it is used. The NetScaler does not check the validity of this request. You must manually validate the request.'
type: string
maxLength: 8191
req-timeout:
description: 'Time, in seconds, within which the remote server should respond to the ICAP-request. If the Netscaler does not receive full response with this time, the specified request timeout action is performed. Zero value disables this timeout functionality.'
type: integer
minimum: 0
maximum: 86400
req-timeout-action:
description: 'Name of the action to perform if the Vserver/Server representing the remote service does not respond with any response within the timeout value configured. The Supported actions are * BYPASS - This Ignores the remote server response and sends the request/response to Client/Server. * If the ICAP response with Encapsulated headers is not received within the request-timeout value configured, this Ignores the remote ICAP server response and sends the Full request/response to Server/Client'
type: string
enum: ['BYPASS', 'DROP', 'RESET']
log-action:
description: 'Name of the audit message action which would be evaluated on receiving the ICAP response to emit the logs'
type: string
maxLength: 127
required:
- uri
content-inspection-criteria:
description: 'Expression that the policy uses to determine whether to execute the specified action.'
type: string
maxLength: 1499
default-action:
description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition. Only the above built-in actions can be used'
type: string
maxLength: 127
log-action:
description: 'Name of the messagelog action to use for requests that match this policy.'
type: string
maxLength: 127
goto-priority-expression:
description: 'Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE.Specify one of the following values:* NEXT - Evaluate the policy with the next higher priority number.* END - End policy evaluation.Default value of goto-priority-expression: END'
type: string
operation:
description: 'Type of operation this action is going to perform. following actions are available to configure: * ICAP - forward the incoming request or response to an ICAP server for modification. * INLINEINSPECTION - forward the incoming or outgoing packets to IPS server for Intrusion Prevention. * MIRROR - Forwards cloned packets for Intrusion Detection. * NOINSPECTION - This does not forward incoming and outgoing packets to the Inspection device. * NSTRACE - capture current and further incoming packets on this transaction.'
type: string
enum: ['ICAP', 'INLINEINSPECTION', 'MIRROR', 'NOINSPECTION']
server-failure-action:
description: 'Name of the action to perform if the Vserver representing the remote service is not UP. This is not supported for NOINSPECTION Type. The Supported actions are: * RESET - Reset the client connection by closing it. The client program, such as a browser, will handle this and may inform the user. The client may then resend the request if desired. * DROP - Drop the request without sending a response to the user. * CONTINUE - It bypasses the ContentIsnpection and Continues/resumes the Traffic-Flow to Client/Server.'
type: string
enum: ['CONTINUE', 'DROP', 'RESET']
oneOf:
- required: [preconfigured-profile]
- required: [profile]
required:
- direction
- content-inspection-criteria
- operation
required:
- ingressclass
- services
- icap-servers
- icap
Loading

0 comments on commit 51ea8f9

Please sign in to comment.