Jump to content
Welcome to our new Citrix community!

User SSL-Profile in Netscaler Ingress


Recommended Posts

I have configured an SSL-Profile 'ssl_profile_secure_frontend' on netscaler vpx, now I have make a ingress with smart annotaions to use this configured profile for ssl termination, like described here: https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/profiles/

 

ingress.yaml looks like this:

 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.citrix.com/frontend-ip: x.x.x.x
    ingress.citrix.com/frontend-sslprofile: ssl_profile_secure_frontend
    ingress.citrix.com/insecure-port: "80"
    ingress.citrix.com/insecure-termination: redirect
    ingress.citrix.com/preconfigured-certkey: '{"certs": [ {"name":"schuler-konstruktionen.de",
      "type":"sni"} ] }'
    ingress.citrix.com/secure-port: "443"
    kubernetes.io/ingress.class: citrix
  name: release-name-alfresco-cs-ce-share
  namespace: alfresco-sk
spec:
  rules:
  - host: kermit.schuler-konstruktionen.de
    http:
      paths:
      - backend:
          serviceName: release-name-alfresco-cs-ce-share
          servicePort: 443
        path: /share
  tls:
  - {}
status:
  loadBalancer: {}

 

But when th CS is created there is alway only bind the default SSL_profile to the CS.

Link to comment
Share on other sites

For the frontend profiles, You need to create an empty ingress called Frontend-ingress and write your annotations for SSL profiles there. You need not replicate the annotation for SSL profiles in each of the ingress for the same frontend IP:port combination. 

 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: admin-ingress
  annotations:
  # /* The CS virtual server is derived from the combination of insecure-port/secure-port, frontend-ip, and secure-service-type/insecure-service-type annotations. */
    ingress.citrix.com/frontend-ip: x.x.x.x
    ingress.citrix.com/frontend-sslprofile: ssl_profile_secure_frontend
    ingress.citrix.com/insecure-port: "80"
    ingress.citrix.com/insecure-termination: redirect
    ingress.citrix.com/preconfigured-certkey: '{"certs": [ {"name":"schuler-konstruktionen.de",
      "type":"sni"} ] }'
    ingress.citrix.com/secure-port: "443"
    kubernetes.io/ingress.class: citrix
spec:
  rules:
  - host:
  tls:
  - hosts:

Your actual ingress  may exclude this line

ingress.citrix.com/frontend-sslprofile: ssl_profile_secure_frontend

 

This is done to avoid  the ingress limitation of multiple Ingress on the same IP:Port can specify different SSL/TCP/HTTP policies. 

 

 

 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...