Adding support for disabling APIServer Cert Verification in CIC

Signed-off-by: Subash Dangol <subash.dangol@citrix.com>

citrix-cloud-native/charts/citrix-cpx-with-ingress-controller/README.md

@@ -461,6 +461,7 @@ The following table lists the configurable parameters of the Citrix ADC CPX with
 | cpx.ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here |
 | cpx.setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 |
 | cpx.updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. |
+| cpx.disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. |
 | cpx.openshift | Optional | false | Set this argument if OpenShift environment is being used. |
 | cpx.routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. |
 | cpx.namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. |

citrix-cloud-native/charts/citrix-cpx-with-ingress-controller/templates/citrix-k8s-cpx-ingress.yaml

@@ -189,6 +189,10 @@ spec:
             - --ipam
               citrix-ipam-controller
 {{- end }}
+{{- if .Values.disableAPIServerCertVerify }}
+            - --disable-apiserver-cert-verify
+              {{ .Values.disableAPIServerCertVerify }}
+{{- end }}
 {{- if .Values.cpxBgpRouter }}
             - --deployment-type
               kube-bgp-router

citrix-cloud-native/charts/citrix-cpx-with-ingress-controller/values.yaml

@@ -36,6 +36,9 @@ ingressIP:
 # If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true
 ipam: False
 
+# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True
+disableAPIServerCertVerify: False
+
 sslCertManagedByAWS: False
 
 nodeSelector:

citrix-cloud-native/charts/citrix-ingress-controller/README.md

@@ -319,6 +319,7 @@ The following table lists the mandatory and optional parameters that you can con
 | cic.nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. |
 | cic.nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). |
 | cic.ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. |
+| cic.disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. |
 | cic.logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. |
 | cic.entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. |
 | cic.updateIngressStatus | Optional | False | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). |

citrix-cloud-native/charts/citrix-ingress-controller/templates/citrix-k8s-ingress.yaml

@@ -69,6 +69,10 @@ spec:
           - --ipam
             citrix-ipam-controller
 {{- end }}
+{{- if .Values.disableAPIServerCertVerify }}
+          - --disable-apiserver-cert-verify
+            {{ .Values.disableAPIServerCertVerify }}
+{{- end }}
 {{- if .Values.updateIngressStatus }}
           - --update-ingress-status
             yes

citrix-cloud-native/charts/citrix-ingress-controller/values.yaml

@@ -26,6 +26,8 @@ defaultSSLCertSecret:
 podIPsforServiceGroupMembers: False
 ignoreNodeExternalIP: False
 ipam: False
+# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True
+disableAPIServerCertVerify: False
 logProxy:
 nodeWatch: false
 cncPbr: False

citrix-cloud-native/charts/citrix-multi-cluster-ingress-controller/README.md

@@ -175,6 +175,7 @@ The following table lists the mandatory and optional parameters that you can con
 | mcIngress.nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. |
 | mcIngress.nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. |
 | mcIngress.logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).|
+| mcIngress.disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. |
 | mcIngress.kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). |
 | mcIngress.entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. |
 | mcIngress.openshift | Optional | false | Set this argument if OpenShift environment is being used. |

citrix-cloud-native/charts/citrix-multi-cluster-ingress-controller/templates/citrix-k8s-mcingress.yaml

@@ -43,6 +43,10 @@ spec:
         image: "{{ .Values.image }}"
         imagePullPolicy: {{ .Values.pullPolicy }}
         env:
+        - name: "NS_PROTOCOL"
+          value: "{{ .Values.nsProtocol }}"
+        - name: "NS_PORT"
+          value: "{{ .Values.nsPort }}"
         - name: "LOCAL_REGION"
           value: {{ .Values.localRegion }}
         - name: "LOCAL_CLUSTER"
@@ -72,6 +76,10 @@ spec:
         args:
         - --config-interface
           gslb-endpoints
+{{- if .Values.disableAPIServerCertVerify }}
+        - --disable-apiserver-cert-verify
+          {{ .Values.disableAPIServerCertVerify }}
+{{- end }}
 {{- if .Values.kubernetesURL }}
         - name: "kubernetes_url"
           value: "{{ .Values.kubernetesURL }}"

citrix-cloud-native/charts/citrix-multi-cluster-ingress-controller/values.yaml

@@ -17,6 +17,8 @@ nsProtocol: HTTPS
 logLevel: INFO
 # entityPrefix is the prefix for the resources on the Citrix ADC
 entityPrefix:
+# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True
+disableAPIServerCertVerify: False
 # kubernetesURL is for registering events to kubeapi server
 kubernetesURL:
 # localRegion is the region where K8s cluster is deployed 

citrix-cpx-with-ingress-controller/README.md

@@ -455,6 +455,7 @@ The following table lists the configurable parameters of the Citrix ADC CPX with
 | ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here  |
 | setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 |
 | updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. |
+| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. |
 | openshift | Optional | false | Set this argument if OpenShift environment is being used. |
 | routeLabels | Optional | N/A | You can use this parameter to provide the route labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. |
 | namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by Citrix Ingress Controller for routeSharding in OpenShift cluster. |

citrix-cpx-with-ingress-controller/templates/citrix-k8s-cpx-ingress.yaml

@@ -189,6 +189,10 @@ spec:
             - --ipam
               citrix-ipam-controller
 {{- end }}
+{{- if .Values.disableAPIServerCertVerify }}
+            - --disable-apiserver-cert-verify
+              {{ .Values.disableAPIServerCertVerify }}
+{{- end }}
 {{- if .Values.cpxBgpRouter }}
             - --deployment-type
               kube-bgp-router

citrix-cpx-with-ingress-controller/values.yaml

@@ -36,6 +36,9 @@ ingressIP:
 # If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true
 ipam: False
 
+# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True
+disableAPIServerCertVerify: False
+
 sslCertManagedByAWS: False
 
 nodeSelector:

citrix-ingress-controller/README.md

@@ -312,6 +312,7 @@ The following table lists the mandatory and optional parameters that you can con
 | nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. |
 | nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). |
 | ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. |
+| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. |
 | logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. |
 | entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. |
 | updateIngressStatus | Optional | False | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). |

citrix-ingress-controller/templates/citrix-k8s-ingress.yaml

@@ -69,6 +69,10 @@ spec:
           - --ipam
             citrix-ipam-controller
 {{- end }}
+{{- if .Values.disableAPIServerCertVerify }}
+          - --disable-apiserver-cert-verify
+            {{ .Values.disableAPIServerCertVerify }}
+{{- end }}
 {{- if .Values.updateIngressStatus }}
           - --update-ingress-status
             yes

citrix-ingress-controller/values.yaml

@@ -3,16 +3,16 @@
 # Declare variables to be passed into your templates.
 
 # Citrix Ingress Controller config details
-image: quay.io/citrix/citrix-k8s-ingress-controller:1.19.6
+image: citrix-ingress-controller:1.19.6
 pullPolicy: IfNotPresent
 imagePullSecrets: []
 openshift: false
-adcCredentialSecret:
-nsIP: x.x.x.x
+adcCredentialSecret: 
+nsIP: X.X.X.X 
 nsVIP:
 nsSNIPS:
 license:
-   accept: no
+   accept: yes
 nsPort: 443
 nsProtocol: HTTPS
 logLevel: INFO
@@ -26,6 +26,8 @@ defaultSSLCertSecret:
 podIPsforServiceGroupMembers: False
 ignoreNodeExternalIP: False
 ipam: False
+# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True
+disableAPIServerCertVerify: False
 logProxy:
 nodeWatch: false
 cncPbr: False

citrix-multi-cluster-ingress-controller/README.md

@@ -175,6 +175,7 @@ The following table lists the mandatory and optional parameters that you can con
 | nsPort | Optional | 443 | The port used by CIC to communicate with Citrix ADC. You can use port 80 for HTTP. |
 | nsProtocol | Optional | HTTPS | The protocol used by CIC to communicate with Citrix ADC. You can also use HTTP on port 80. |
 | logLevel | Optional | DEBUG | The loglevel to control the logs generated by CIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG and TRACE. For more information, see [Logging](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).|
+| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. |
 | kubernetesURL | Optional | N/A | The kube-apiserver url that CIC uses to register the events. If the value is not specified, CIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). |
 | entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. |
 | openshift | Optional | false | Set this argument if OpenShift environment is being used. |

citrix-multi-cluster-ingress-controller/templates/citrix-k8s-mcingress.yaml

@@ -43,6 +43,10 @@ spec:
         image: "{{ .Values.image }}"
         imagePullPolicy: {{ .Values.pullPolicy }}
         env:
+        - name: "NS_PROTOCOL"
+          value: "{{ .Values.nsProtocol }}"
+        - name: "NS_PORT"
+          value: "{{ .Values.nsPort }}"
         - name: "LOCAL_REGION"
           value: {{ .Values.localRegion }}
         - name: "LOCAL_CLUSTER"
@@ -72,7 +76,12 @@ spec:
         args:
         - --config-interface
           gslb-endpoints
+{{- if .Values.disableAPIServerCertVerify }}
+        - --disable-apiserver-cert-verify
+          {{ .Values.disableAPIServerCertVerify }}
+{{- end }}
 {{- if .Values.kubernetesURL }}
         - name: "kubernetes_url"
           value: "{{ .Values.kubernetesURL }}"
 {{- end}}
+

citrix-multi-cluster-ingress-controller/values.yaml

@@ -17,6 +17,8 @@ nsProtocol: HTTPS
 logLevel: INFO
 # entityPrefix is the prefix for the resources on the Citrix ADC
 entityPrefix:
+# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True
+disableAPIServerCertVerify: False
 # kubernetesURL is for registering events to kubeapi server
 kubernetesURL:
 # localRegion is the region where K8s cluster is deployed 

citrix_cloud_native_values.yaml

@@ -24,6 +24,7 @@ cic:
   podIPsforServiceGroupMembers: False
   ignoreNodeExternalIP: False
   ipam: False
+  disableAPIServerCertVerify: False
   logProxy:
   nodeWatch: false
   cncPbr: False
@@ -85,6 +86,7 @@ mcIngress:
   nsProtocol: HTTPS
   logLevel: INFO
   entityPrefix:
+  disableAPIServerCertVerify: False
   kubernetesURL:
   sitedata:
 
@@ -153,6 +155,7 @@ cpx:
   logLevel: INFO
   defaultSSLCertSecret:
   updateIngressStatus: False
+  disableAPIServerCertVerify: False
   logProxy:
   kubernetesURL:
 

examples/Servicemesh_with_GSLB_and_WAF/README.md

@@ -55,7 +55,6 @@ Follow steps 7 - 10 from [this guide](https://docs.citrix.com/en-us/citrix-adc/c
 
 **NOTE**
 
-    •Citrix ADC VPX version 13.0-82.45 or later. 
     •Citrix ADC VPX needs to be created in public subnet with 3 Elastic IPs (one for NSIP, SNIP and VIP each)
     •Allow communication between Citrix ADC VPX and EKS clusters using security groups.
     •Allow ports 80/443 from internet to access the application deployed.

examples/citrix-cpx-with-ingress-controller/README.md

@@ -106,6 +106,7 @@ The following table lists the configurable parameters of the Citrix ADC CPX with
 | ingressClass | Optional | Citrix | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify Citrix ingress controller to configure Citrix ADC associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here  |
 | setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 |
 | updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. This is only applicable if servicetype of CPX service is LoadBalancer. |
+| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. |
 | openshift | Optional | false | Set this argument if OpenShift environment is being used. |
 
 | crds.retainOnDelete | Optional | false | Set this argument if you want to retain CustomResourceDefinitions even after uninstalling CIC. This will avoid data-loss of Custom Resource Objects created before uninstallation. |

examples/citrix-cpx-with-ingress-controller/templates/citrix-k8s-cpx-ingress.yaml

@@ -189,6 +189,10 @@ spec:
             - --ipam
               citrix-ipam-controller
 {{- end }}
+{{- if .Values.disableAPIServerCertVerify }}
+            - --disable-apiserver-cert-verify
+              {{ .Values.disableAPIServerCertVerify }}
+{{- end }}
 {{- if .Values.cpxBgpRouter }}
             - --deployment-type
               kube-bgp-router

examples/citrix-cpx-with-ingress-controller/values.yaml

@@ -36,6 +36,9 @@ ingressIP:
 # If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true
 ipam: False
 
+# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True
+disableAPIServerCertVerify: False
+
 sslCertManagedByAWS: False
 
 nodeSelector:

examples/citrix-ingress-controller/README.md

@@ -111,6 +111,7 @@ The following table lists the mandatory and optional parameters that you can con
 | nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for Citrix ADC service group configurations. |
 | nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). |
 | ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. |
+| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. |
 | logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for Citrix observability exporter. |
 | entityPrefix | Optional | k8s | The prefix for the resources on the Citrix ADC VPX/MPX. |
 | updateIngressStatus | Optional | False | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the Citrix ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). |

examples/citrix-ingress-controller/templates/citrix-k8s-ingress.yaml

@@ -69,6 +69,10 @@ spec:
           - --ipam
             citrix-ipam-controller
 {{- end }}
+{{- if .Values.disableAPIServerCertVerify }}
+          - --disable-apiserver-cert-verify
+            {{ .Values.disableAPIServerCertVerify }}
+{{- end }}
 {{- if .Values.updateIngressStatus }}
           - --update-ingress-status
             yes

examples/citrix-ingress-controller/values.yaml

@@ -26,6 +26,8 @@ defaultSSLCertSecret:
 podIPsforServiceGroupMembers: False
 ignoreNodeExternalIP: False
 ipam: False
+# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True
+disableAPIServerCertVerify: False
 logProxy:
 nodeWatch: false
 cncPbr: False