netscaler-k8s-ingress-controller icon indicating copy to clipboard operation
netscaler-k8s-ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon netscaler

Add a second client helper to manage local cluster and remote cluster.

Open BobVanB opened this issue 11 months ago • 0 comments

Is your feature request related to a problem? Please describe.

Use a kubernetes_url with kube-token to point to a different cluster.

- name: cic 
  args:
  - --kube-token token-p9dkh:<token>
  env:
  - name: kubernetes_url
    value: https://<remote_url>:6443

This wil give a error that it can't find its own pod. Probably to update a status.

2024-03-07 07:43:35,189  - DEBUG - [singleton.py:__call__:20] (MainThread) Singleton class <class 'triton.kubernetes.kubeeventwriter.podstatusevent.currentpod.CurrentPod'> got created
2024-03-07 07:43:35,258  - ERROR - [clienthelper.py:get:44] (MainThread) Reuqest /pods/<prefix>-citrix-ingress-controller-6498748c7f-jbhdp to the api server is not authorized
2024-03-07 07:43:35,258  - WARNING - [podstatusevent.py:write:78] (MainThread) PodStatusEvent: FAILURE: Getting pod Info: 401 Client Error: Unauthorized for url: https://<remote_url>:6443/api/v1/namespaces/citrix-ingress/pods/<prefix>-citrix-ingress-controller-6498748c7f-jbhdp

These two requests are probably handles by the same instance of clienthelper.py that points to kubernetes_url:

  1. Getting the netscaler resources. IngressClass, Ingress, Waf, etc...
  2. Getting the current CurrentPod

Describe the solution you'd like

Initialize 2 clienthelper.py:

  1. The first one using the local connection details using the serviceAccountName that is connected to the pod. https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/#without-using-a-proxy
  2. The second one using the arguments passed by environment variables or arguments. 
    --kube-apiserver
--kube-token
kubernetes_url

Describe alternatives you've considered

There is no other solution provided by Citrix, other than manually adding a CPX to the VPX. The response was adding a CIC controller and add the entries to the VPX via Ingress. This CIC can't be on the customer cluster, because of security issues. So it has to be remote and that is not possible because of the above.

Additional context

  • This enables a central citrix ingress controller to manage a remote cluster.
  • This could enable one central citrix ingress controller to manage multiple remote cluster.

Something like this in the helmchart values yaml would be cool:

clusters:
- clusterName: clusterA
  kubernetes_url: https://clusterA:6443
  entityPrefix: clsA
  ...
- clusterName: clusterB 
  kubernetes_url: https://clusterB:6443
  entityPrefix: clsB
  nodeWatch: true
  cncPbr: true
  disableAPIServerCertVerify: true
  ... all remote cluster settings

BobVanB avatar Mar 07 '24 11:03 BobVanB