Alberto Moreno Posted July 25, 2019 Share Posted July 25, 2019 Hello, We configure yaml for application ingress and declare this two annotations: ingress.citrix.com/secure-port: "443" ingress.citrix.com/secure-service-type: "ssl_tcp" kubectl apply -f application-ingres.yaml returns all is ok, but in VPX we always see that the CS is configured in http on port 80 (default values). We need this situation: CLIENT -->https-->VPX VS-->http-->app ingress (k8s) Reading annotations docs in https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/annotations/ Seems that the two annotations have no effect in VPX configuration via CIC. Any ideas? The yaml is like that: apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: idata-portal-ingress namespace: istio-system annotations: kubernetes.io/ingress.class: "citrix" ingress.citrix.com/secure-port: "443" ingress.citrix.com/secure-service-type: "ssl_tcp" ingress.citrix.com/insecure-port: "80" ingress.citrix.com/frontend-ip: "192.168.10.13" ingress.citrix.com/servicegroup: '{"citrix-svc":{"usip":"yes"}}' spec: rules: - host: test.mango.com http: paths: - path: backend: serviceName: istio-ingressgateway servicePort: 80 Thanks in advanced. Link to comment Share on other sites More sharing options...
Alberto Moreno Posted July 30, 2019 Author Share Posted July 30, 2019 Hello Someone can help us with that? Regards Link to comment Share on other sites More sharing options...
Jim Grimm1709160134 Posted July 31, 2019 Share Posted July 31, 2019 Have you tried removing the following line from your annotations to see if it changes the behavior you’re experiencing? ingress.citrix.com/insecure-port: "80" Link to comment Share on other sites More sharing options...
Alberto Moreno Posted July 31, 2019 Author Share Posted July 31, 2019 Hello, Yes I tried but it doesn´t have any effect. Doing some test, if the yaml is modified in this way (note insecure-port and insecure-service-type), then de CS is configured in SSL but lbserver still remains in HTTP. It doesn't have sense...not sure what's wrong: apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: ivisual-merchand-ingress namespace: istio-system annotations: kubernetes.io/ingress.class: "citrix" ingress.citrix.com/frontend-ip: "192.168.10.9" ingress.citrix.com/insecure-port: "443" ingress.citrix.com/insecure-service-type: "ssl" ingress.citrix.com/servicegroup: '{"citrix-svc":{"usip":"yes"}}' ingress.citrix.com/lbvserver: '{"citrix-svc":{"servicetype":"SSL"}}' spec: rules: - host: ivmc.mango.com http: paths: - path: backend: serviceName: istio-ingressgateway servicePort: 80 Regards On 25/7/2019 at 2:30 PM, Alberto Moreno said: Hello, We configure yaml for application ingress and declare this two annotations: ingress.citrix.com/secure-port: "443" ingress.citrix.com/secure-service-type: "ssl_tcp" kubectl apply -f application-ingres.yaml returns all is ok, but in VPX we always see that the CS is configured in http on port 80 (default values). We need this situation: CLIENT -->https-->VPX VS-->http-->app ingress (k8s) Reading annotations docs in https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/annotations/ Seems that the two annotations have no effect in VPX configuration via CIC. Any ideas? The yaml is like that: apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: idata-portal-ingress namespace: istio-system annotations: kubernetes.io/ingress.class: "citrix" ingress.citrix.com/secure-port: "443" ingress.citrix.com/secure-service-type: "ssl_tcp" ingress.citrix.com/insecure-port: "80" ingress.citrix.com/frontend-ip: "192.168.10.13" ingress.citrix.com/servicegroup: '{"citrix-svc":{"usip":"yes"}}' spec: rules: - host: test.mango.com http: paths: - path: backend: serviceName: istio-ingressgateway servicePort: 80 Thanks in advanced. Link to comment Share on other sites More sharing options...
Mayur Patil Posted August 1, 2019 Share Posted August 1, 2019 Hello, There are some modification required in the Ingress file to support the use case that you are targeting (CLIENT -->https-->VPX VS-->http-->app ingress (k8s)) Since you want SSL connection at the front end, Ingress file should define the tls section under spec of Ingress (please refer below Ingress sample file copied from https://github.com/citrix/example-cpx-vpx-for-kubernetes-2-tier-microservices/blob/master/on-prem/config/ingress_vpx.yaml) secure-port: 443 this annotation will come in the picture only after tls section is present in Ingress, this port is used to use custom port for SSL connection other than 443 secure-service-type : this annotation will be used along with tls section from Ingress to define the type of SSL vserver protocol insecure-port annotation is used with insecure-termination: "allow" to send the traffic on non-secure port along with secure port, but you will not need this annotation because you want SSL connection in front end. Try to change the Ingress accordingly, please refer to above link where end to end demo yaml files are located for your reference. Sample Ingress file: apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-vpx annotations: kubernetes.io/ingress.class: "vpx" ingress.citrix.com/insecure-termination: "redirect" ingress.citrix.com/frontend-ip: "x.x.x.x" ingress.citrix.com/secure_backend: '{"lb-service-hotdrinks": "True","lb-service-colddrinks": "True"}' ### This annotation helps to make backend service secure spec: tls: ### This section is required for secure front end connection - secretName: hotdrink-secret ### this is secret used as server certificate in vserver config rules: - host: hotdrink.beverages.com http: paths: - path: backend: serviceName: lb-service-hotdrinks servicePort: 443 - host: guestbook.beverages.com http: paths: - path: backend: serviceName: lb-service-guestbook servicePort: 80 - host: colddrink.beverages.com http: paths: - path: backend: serviceName: lb-service-colddrinks servicePort: 443 2 Link to comment Share on other sites More sharing options...
Bhuvnesh Kumar Posted August 8, 2019 Share Posted August 8, 2019 Hello, There are 2 discrepancies in Ingres YAML used in above post. 1. We should not do SSL configuration using smart annotation. We have 1 dedicated link to setup ssl_tcp: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/how-to/tcp-udp-ingress/ 2. TLS section along with secret under spec, must be there to have SSL type CSVS. e.g. apiVersion: extensions/v1beta1 kind: Ingress metadata: name: colddrinks-ingress annotations: kubernetes.io/ingress.class: “colddrink” ingress.citrix.com/secure-service-type: “ssl_tcp” ingress.citrix.com/secure_backend: ‘{“frontendcolddrinks”:”True”}’. // if user want to have encrypted backend traffic (SSL type LBVS) spec: tls: - secretName: “colddrink-secret” backend: serviceName: frontend-colddrinks servicePort: 443 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now