Jump to content
Welcome to our new Citrix community!

CIC ssl annotations have no effect on VPX CS/VS configuration


Recommended Posts

Hello,

 

We configure yaml for application ingress and declare this two annotations:

ingress.citrix.com/secure-port: "443"
ingress.citrix.com/secure-service-type: "ssl_tcp"

 

kubectl apply -f application-ingres.yaml returns all is ok, but in VPX we always see that the CS is configured in http on port 80 (default values).

 

We need this situation:  CLIENT -->https-->VPX VS-->http-->app ingress (k8s)

 

Reading annotations docs in https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/annotations/

 

Seems that the two annotations have no effect in VPX configuration via CIC.

 

Any ideas?

 

The yaml is like that:

 

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
 name: idata-portal-ingress
 namespace: istio-system
 annotations:
   kubernetes.io/ingress.class: "citrix"

   ingress.citrix.com/secure-port: "443"
   ingress.citrix.com/secure-service-type: "ssl_tcp"
   ingress.citrix.com/insecure-port: "80"
   ingress.citrix.com/frontend-ip: "192.168.10.13"
   ingress.citrix.com/servicegroup: '{"citrix-svc":{"usip":"yes"}}'
spec:
 rules:
 - host:  test.mango.com
   http:
     paths:
     - path:
       backend:
          serviceName: istio-ingressgateway
          servicePort: 80

 

Thanks in advanced.

Link to comment
Share on other sites

Hello,

 

Yes I tried but it doesn´t have any effect. Doing some test, if the yaml is modified in this way (note insecure-port and insecure-service-type), then de CS is configured in SSL but lbserver still remains in HTTP. It doesn't have sense...not sure what's wrong:

 

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
 name: ivisual-merchand-ingress
 namespace: istio-system
 annotations:
   kubernetes.io/ingress.class: "citrix"
   ingress.citrix.com/frontend-ip: "192.168.10.9"
   ingress.citrix.com/insecure-port: "443"
   ingress.citrix.com/insecure-service-type: "ssl"
   ingress.citrix.com/servicegroup: '{"citrix-svc":{"usip":"yes"}}'
   ingress.citrix.com/lbvserver: '{"citrix-svc":{"servicetype":"SSL"}}'
spec:
 rules:
 - host: ivmc.mango.com
   http:
     paths:
     - path:
       backend:
          serviceName: istio-ingressgateway
          servicePort: 80

 

 

Regards

 

 

On 25/7/2019 at 2:30 PM, Alberto Moreno said:

Hello,

 

We configure yaml for application ingress and declare this two annotations:

ingress.citrix.com/secure-port: "443"
ingress.citrix.com/secure-service-type: "ssl_tcp"

 

kubectl apply -f application-ingres.yaml returns all is ok, but in VPX we always see that the CS is configured in http on port 80 (default values).

 

We need this situation:  CLIENT -->https-->VPX VS-->http-->app ingress (k8s)

 

Reading annotations docs in https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/annotations/

 

Seems that the two annotations have no effect in VPX configuration via CIC.

 

Any ideas?

 

The yaml is like that:

 

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
 name: idata-portal-ingress
 namespace: istio-system
 annotations:
   kubernetes.io/ingress.class: "citrix"

   ingress.citrix.com/secure-port: "443"
   ingress.citrix.com/secure-service-type: "ssl_tcp"
   ingress.citrix.com/insecure-port: "80"
   ingress.citrix.com/frontend-ip: "192.168.10.13"
   ingress.citrix.com/servicegroup: '{"citrix-svc":{"usip":"yes"}}'
spec:
 rules:
 - host:  test.mango.com
   http:
     paths:
     - path:
       backend:
          serviceName: istio-ingressgateway
          servicePort: 80

 

Thanks in advanced.

 

Link to comment
Share on other sites

Hello,

 

There are some modification required in the Ingress file to support the use case that you are targeting (CLIENT -->https-->VPX VS-->http-->app ingress (k8s))

  • Since you want SSL connection at the front end, Ingress file should define the tls section under spec of Ingress (please refer below Ingress sample file copied from https://github.com/citrix/example-cpx-vpx-for-kubernetes-2-tier-microservices/blob/master/on-prem/config/ingress_vpx.yaml)
  • secure-port: 443 this annotation will come in the picture only after tls section is present in Ingress, this port is used to use custom port for SSL connection other than 443
  • secure-service-type : this annotation will be used along with tls section from Ingress to define the type of SSL vserver protocol
  • insecure-port annotation is used with insecure-termination: "allow" to send the traffic on non-secure port along with secure port, but you will not need this annotation because you want SSL connection in front end.

Try to change the Ingress accordingly, please refer to above link where end to end demo yaml files are located for your reference.

 

 

Sample Ingress file:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-vpx
  annotations:
   kubernetes.io/ingress.class: "vpx"
   ingress.citrix.com/insecure-termination: "redirect"
   ingress.citrix.com/frontend-ip: "x.x.x.x"
   ingress.citrix.com/secure_backend: '{"lb-service-hotdrinks": "True","lb-service-colddrinks": "True"}'        ### This annotation helps to make backend service secure
spec:
  tls:                                                     ### This section is required for secure front end connection                         
  - secretName: hotdrink-secret        ### this is secret used as server certificate in vserver config
  rules:
  - host:  hotdrink.beverages.com
    http:
      paths:
      - path: 
        backend:
          serviceName: lb-service-hotdrinks
          servicePort: 443
  - host:  guestbook.beverages.com
    http:
      paths:
      - path: 
        backend:
          serviceName: lb-service-guestbook
          servicePort: 80
  - host:  colddrink.beverages.com
    http:
      paths:
      - path: 
        backend:
          serviceName: lb-service-colddrinks
          servicePort: 443

  • Like 2
Link to comment
Share on other sites

Hello, 

  There are 2 discrepancies in Ingres YAML used in above post. 

1. We should not do SSL configuration using smart annotation. We have 1 dedicated link to setup ssl_tcp:

https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/how-to/tcp-udp-ingress/

2. TLS section along with secret under spec, must be there to have SSL type CSVS.

 

e.g. 

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

    name: colddrinks-ingress

    annotations:

        kubernetes.io/ingress.class: “colddrink”

        ingress.citrix.com/secure-service-type: “ssl_tcp”

        ingress.citrix.com/secure_backend: ‘{“frontendcolddrinks”:”True”}’.  // if user want to have encrypted backend traffic (SSL type LBVS)

spec:

    tls:

    - secretName: “colddrink-secret”

    backend:

        serviceName: frontend-colddrinks

        servicePort: 443

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...