Introduction
As microservice networks change and grow, the interactions between them can be difficult to manage and understand. This is why it is convenient to use the service mesh as a separate infrastructure layer. Service mesh is a method of processing microservices on a large scale. It can handle routing and termination of traffic, monitoring and tracking, service delivery and routing, load balancing, circuit breaking, and mutual authentication. The service grid takes these components and makes them part of the infrastructure layer, eliminating the need for developers to write specific code to support these functions.
Istio is a very popular open source service mesh that has been built into the Rancher Kubernetes management platform. This integration allows developers to focus on business logic, while the rest can be handed over to Kubernetes and Istio.
Citrix ADC ( https://www.citrix.com/products/citrix-adc/platforms.html 16102c27916b4c) is a comprehensive application delivery and load balancing solution for monolithic and Its advanced traffic management features can improve application performance and provide comprehensive security. Citrix ADC integrates with Istio, as the Ingress gateway of the service mesh environment, and as a sidecar proxy to control the communication between microservices. This integration allows you to strictly protect and optimize the flow into the microservice-based application environment and its internal traffic. The Citrix ADC Ingress deployment is configured as a load balancer for the Kubernetes service. As a sidecar proxy, Citrix ADC handles service-to-service communication and makes this communication reliable, secure, observable, and manageable.
In this article, we will explore the integration of Citrix ADC as an Istio Ingress gateway and sidecar proxy with the Istio service mesh deployed on Rancher. We will introduce a new catalog template for deploying Citrix ADC as an Ingress gateway and a sidecar proxy injector.
The Rancher catalog provides a UI platform for DevOps engineers to deploy and run applications with out-of-the-box functions such as monitoring, auditing, and logging. You can find the Citrix Istio ingress gateway and sidecar injector in the Rancher Catalog.
Use Citrix ADC as Istio's ingress gateway
The Istio ingress gateway serves as the entry point for incoming traffic, ensuring access control to the service mesh. It also performs routing and load balancing. Citrix ADC CPX, MPX or VPX can be deployed as an ingress gateway to control the ingress traffic of the Istio service grid.
Citrix ADC MPX or VPX as Ingress gateway
Citrix ADC VPX/MPX as Ingress gateway in Rancher Catalog
When Citrix ADC MPX/VPX is deployed as an Ingress Gateway device, the Istio-adaptor container mainly runs in the pod deployed and managed by the Ingress Gateway.
Citrix ADC CPX as Istio Ingress gateway
When Citrix ADC CPX is deployed as Ingress Gateway, both CPX and Istio-adaptor run as containers in the Ingress Gateway Pod.
Use Citrix ADC CPX as ingress gateway in Rancher catalog
Citrix Istio Adaptor
Citrix Istio Adaptor is an open source software written in Go. Its main job is to automatically configure the Citrix ADC deployed in the Istio service grid. Components such as Istio Pilot, Citadel, and Mixer constitute the Istio control plane. Pilot provides service discovery functions for agents in the grid. It is essentially a gPRC×DS server, responsible for configuring the agent at runtime.
Istio-adaptor is a gRPC client of the xDS server, which receives xDS resources such as clusters, listeners, routes, and endpoints from the xDS server through a secure gRPC channel. After receiving these resources, Istio-adaptor converts them into the same Citrix ADC configuration block, and uses RESTful NITRO to call and configure the related Citrix ADC. You can visit the following link to learn more about the Citrix Istio adaptor:
https://www.citrix.com/blogs/2019/11/13/citrix-adc-as-an-istio-ingress-gateway-part-1-deployment/
In the next section, we will use Rancher Catalog to set up Citrix ADC as a gateway and sidecar. Ingress Gateway describes a load balancer running at the edge of the grid, which receives incoming connections. Sidecar proxy is implemented for monitoring, security, and resource allocation.
Rancher Catalog sets Citrix ADC as Istio Ingress gateway
Preliminary preparation
In order to allow you to follow the steps below, please prepare the following:
- Rancher deployment (you can quickly start and run Rancher through quick start on the official website)
- Kubernetes cluster managed by Rancher
- Enable Istio
- Make sure your cluster Kubernetes version is 1.14.0 and above and enable admissionregistration.k8s.io/v1beta1 API
- Create a Kubernetes secret for the Citrix ADC username and password. Select [Resources→Secrets] in the navigation bar
step
1. Log in to Rancher
2. Create a namespace called citrix-system
3. Enter the cluster, then access the project level, navigate to [App→Launch]
4. Search for citrix in the search box
5. Click citrix-adc-istio-ingress-gateway.
Citrix ADC as Istio's Ingress gateway in Rancher Catalog
6. Click [Launch] to deploy Citrix ADC as ingress gateway
a) For Citrix ADC CPX: Set the following environment variables with specific values
- Citrix ADC CPX-true
- ingressGateway EULA – true
- istioAdaptor.tag - 1.2.0
b) For Citrix ADC MPX/VPX: set the following environment variables:
- istioAdaptor version: 1.2.0
- netscalerUrl: Specify Citrix ADC IP in URL format
- vServer IP: Specify an unused IP address for the Citrix ADC virtual server.
After you have updated the required variable values, click launch. Navigate to Apps and verify that the Citrix-ingressgateway is running.
There are a few points to remember:
-If you want to expose multiple applications:
Set the exposeMutipleApps variable to true
- secretVolumes.name:
- secretVolumes.secretName:
- secretVolumes.mountPath:
-If you want to expose non-HTTP services (such as TCP-based applications):
Set the exposeNonHttpService variable to true
- tcpPort.name:
- tcpPort.nodePort: . // applicable in case of Citrix ADC CPX
- tcpPort.Port:
- tcpPort.targetPort:
Citrix ADC as the sidecar of Istio
Citrix ADC CPX can be used as a sidecar proxy for application containers in Istio. You can inject Citrix ADC CPX manually or automatically using the Istio sidecar injector. The resources needed to automatically inject sidecars include Kubernetes mutating webhook admission controller and services. Using Rancher Catalog, you can create the resources required to automatically deploy Citrix ADC CPX as a sidecar proxy.
Use Rancher Catalog to deploy Citrix ADC as Istio's Sidecar
Preliminary preparation
Deploying Citrix ADC as a sidecar in an application pod requires the following prerequisites:
- Make sure Istio is enabled
- Make sure your cluster Kubernetes version is 1.14.0 and above and admissionregistration.k8s.io/v1beta1
API has been enabled - Create the resources required for automatic sidecar injection by performing the following steps:
1. Download the webhook-create-signed-cert.sh script
2. Change script permissions to executable mode
chmod +x webhook-create-signed-cert.sh
3. Create a signed certificate and key pair and store it in a Kubernetes secret.
./webhook-create-signed-cert.sh \
--service cpx-sidecar-injector \
--secret cpx-sidecar-injector-certs \
--namespace citrix-systemimportant hint:
Do not enable Istio automatic injection on the application namespace.
To automatically deploy Citrix ADC CPX as a sidecar in an application pod, the application namespace must be marked as cpx-injection=enabled.
Kubectl label namespace <application_namespace> cpx-injection=enabled
step:
1. Log in to Rancher
2. Create a namespace named citrix-system
3. Enter the cluster, access the project level, and navigate to [Apps→Launch]
4. Search for citrix in the search box
5. Click citrix-cpx-istio-sidecar-injector
6. Set environment variables:
a) IstioAdaptor version: 1.2.0
b)cpxProxy.EULA : YES
1. Update the value of the required variable and click Launch
2. Navigate to Apps and verify if cpx-sidecar-injector is running
Use Citrix ADC to access the sample application
You can find an example of deploying a sample bookinfo application at the following URL:
https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio
- If Citrix ADC VPX/MPX is deployed as an ingress gateway, the service will be accessed through the vServer IP. (This detail is in Citrix
ADC VPX as mentioned in step 6b of ingress gateway deployment). - If Citrix ADC CPX is deployed as an ingress gateway, the service can be accessed through the Ingress IP and port. Please visit this link for more information:
https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio#verification
Important note: To deploy Citrix ADC VPX or MPX as an ingress gateway, you should establish a connection between the Citrix ADC VPX or MPX and the cluster nodes. This kind of connectivity can be configured through the routing mentioned in the Citrix ADC link ( https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) or Deploy Citrix Node Controller to build.
Note: All images of Catalog are taken from Rancher v.2.4.4, which supports Istio 1.4.10 and Istio-adaptor
Version 1.2.0. Visit here to learn more about the architecture:https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/architecture.md
Summarize
In this article, we have shown you how to use the Citrix ADC Istio ingress gateway to configure ingress rules and the Citrix CPX Istio Sidecar to configure sidecar proxy. The gateway allows external traffic to enter the service grid and manages the traffic of edge services. Citrix ADC serves as a sidecar for service-to-service communication and transparently routes all traffic for each service.
In this article, we deployed Citrix ADC with one click through the Helm chart in the Rancher catalog, and intuitively experienced how the Rancher app store makes it easy to deploy and configure applications.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。