Merge pull request #454 from citrix/support-update

Support update

Author: sreejithgs

crd/auth/README.md

@@ -45,7 +45,9 @@ The following are the attributes for forms based authentication.
 |`listener_name`| The name of the Listener CRD for which the authentication using forms is applicable.|
 | `vip` |Specifies the front-end IP address of the Ingress for which the authentication using forms is applicable. This attribute refers to the `frontend-ip` address provided with the Ingress. If there is more than one Ingress resource which uses the same frontend-ip, it is recommended to use vip.|
 
-**Note:** While using forms, authentication can be enabled for all types of traffic. Currently, granular authentication is not supported.
+**Note:** While using forms, authentication can be enabled for all types of traffic. Currently, granular authentication is not supported. 
+
+**Note:**  Depending on the resource to which you need to apply form based authentication, you can use one of the `ingress_name`, `lb_service_name`, `listener_name`, or `vip` attributes to specify the resource.
 
 ### Authentication providers
 
@@ -412,7 +414,7 @@ spec:
         authentication_host: "fqdn_authenticaton_host"
         authentication_host_cert:
           tls_secret: authhost-tls-cert-secret
-        ingress_name: “example-ingress”
+        listener_name: “example-listener”
 
     authentication_providers:
         - name: "saml-auth-provider"
@@ -613,4 +615,5 @@ stringData:
   username: 'ldap_server_username'
   password: 'ldap_server_password'
 
-```
+```
+        

crd/cors/README.md

@@ -0,0 +1,83 @@
+# Configure cross-origin resource sharing policies with Citrix ingress controller
+
+Citrix provides a Custom Resource Definition (CRD) called the CORS CRD for Kubernetes. You can use the CORS CRD to configure the cross-origin resource sharing (CORS) policies with Citrix ingress controller on the Citrix ADC.
+
+## What is CORS
+
+Cross-Origin resource sharing is a mechanism that allows the browser to determine whether a specific web application can share resources with another web application from a different origin. It allows users request resources (For example, images, fonts, and videos) from domains outside the original domain.
+
+## CORS pre-flight
+
+Before a web browser allowing Javascript to issue a POST to a URL, it performs a `pre-flight` request. A pre-flight request is a simple request to the server with the same URL using the method OPTIONS rather than POST. The web browser checks the HTTP headers for CORS related headers to determine if POST operation on behalf of the user is allowed.
+
+  ![CORS request](../../docs/media/cors-api.png)
+
+## CORS CRD definition
+
+The CORS CRD is available in the Citrix ingress controller GitHub repo at: [cors-crd.yaml](https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/crd/cors/cors-crd.yaml). The CORS CRD provides attributes for the various options that are required to define the CORS policy on the Ingress Citrix ADC that acts as an API gateway. The required attributes include: `servicenames`, `allow_origin`, `allow_methods`, and `allow_headers`.
+
+The following are the attributes provided in the CORS CRD:
+
+| Attribute | Description |
+| --------- | ----------- |
+| `servicenames` | Specifies the list of Kubernetes services to which you want to apply the CORS policies.|
+| `allow_origin` | Specifies the list of allowed origins. Incoming origin is screened against this list.|
+|`allow_methods`| Specifies the list of allowed methods as part of the CORS protocol.|
+| `allow_headers`| Specifies the list of allowed headers as part of the CORS protocol.|
+|`max_age`| Specifies the number of seconds the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. The default value is 86400.|
+| `allow_credentials` |Specifies whether the response can be shared when the credentials mode of the request is "include". The default value is 'true'.|
+
+## Deploy the CORS CRD
+
+Perform the following to deploy the CORS CRD:
+
+1.  Download the [CORS CRD](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/crd/cors/cors-crd.yaml).
+
+2.  Deploy the CORS CRD using the following command:
+
+        kubectl create -f cors-crd.yaml
+
+    For example:
+
+        $ kubectl create -f cors-crd.yaml
+        customresourcedefinition.apiextensions.k8s.io/corspolicies.citrix.com created
+        $ kubectl get crd
+        NAME                         CREATED AT
+        corspolicies.citrix.com      2021-05-21T20:01:13Z
+
+### How to write a CORS policy configuration
+
+After you have deployed the CORS CRD provided by Citrix in the Kubernetes cluster, you can define the CORS policy configuration in a `.yaml` file. In the `.yaml` file, use `corspolicy` in the kind field and in the `spec` section add the CORS CRD attributes based on your requirement for the policy configuration.
+
+The following YAML file applies the configured policy to the services listed in the servicenames field. Citrix ADC responds with a 200 OK response code for the pre-flight request if the origin is one of the `allow_origins` ["random1234.com", "hotdrink.beverages.com"]. The response includes configured `allow_methods`, `allow_headers`, and `max_age`.
+
+```yml
+apiVersion: citrix.com/v1beta1
+kind: corspolicy
+metadata:
+  name: corspolicy-example
+spec:
+  servicenames:
+   - "cors-service"
+  allow_origin:
+   - "random1234.com"
+   - "hotdrink.beverages.com"
+  allow_methods:
+   - "POST"
+   - "GET"
+   - "OPTIONS"
+  allow_headers:
+   - "Origin"
+   - "X-Requested-With"
+   - "Content-Type"
+   - "Accept"
+   - "X-PINGOTHER"
+  max_age: 86400
+  allow_credentials: true
+```
+After you have defined the policy configuration, deploy the `.yaml` file using the following commands:
+
+    user@master:~/cors$ kubectl create -f corspolicy-example.yaml
+    corspolicy.citrix.com/corspolicy-example created
+
+The Citrix ingress controller applies the policy configuration on the Ingress Citrix ADC device.

crd/cors/cors-crd.yaml

@@ -0,0 +1,64 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: corspolicies.citrix.com
+spec:
+  group: citrix.com
+  version: v1beta1
+  names:
+    kind: corspolicy
+    plural: corspolicies
+    singular: corspolicy
+    shortNames:
+    - cp
+  scope: Namespaced
+  subresources:
+    status: {}
+  additionalPrinterColumns:
+    - name: Status
+      type: string
+      description: 'Current Status of the CRD'
+      JSONPath: .status.state
+    - name: Message
+      type: string
+      description: 'Status Message'
+      JSONPath: .status.status_message
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          properties:
+            ingressclass:
+              type: string
+              description: "Ingress class, if not specified then all citrix ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource"
+            servicenames:
+              description: 'The list of Kubernetes services to which you want to apply the cors policies.'
+              type: array
+              items:
+                type: string
+                maxLength: 63
+            allow_origin:
+              description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request'
+              type: array
+              items:
+                type: string
+                maxLength: 2083
+            allow_methods:
+              description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.'
+              type: array
+              items:
+                type: string
+                maxLength: 127
+            allow_headers:
+              description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.'
+              type: array
+              items:
+                type: string
+                maxLength: 127
+            max_age:
+              description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.'
+              type: integer
+            allow_credentials:
+              description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.'
+              type: boolean
+          required: [servicenames, allow_origin, allow_methods, allow_headers]

crd/ratelimit/README.md

@@ -4,11 +4,13 @@ In a Kubernetes deployment, you can rate limit the requests to the resources on
 
 Citrix provides a Kubernetes [CustomResourceDefinitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) (CRDs) called the **Rate limit CRD** that you can use with the Citrix ingress controller to configure the rate limiting configurations on the Citrix ADCs used as Ingress devices.
 
-Apart from rate limiting the requests to the services in Kubernetes environment, you can use the Rate limit CRD for API security as well. The Rate limit CRD allows you to limit the REST API request to API servers or specific API endpoints on the API servers. It monitors and keeps track of the requests to the API server or endpoints against the allowed limit per time slice and hence protects from attacks such as DDos attack.
+Apart from rate limiting the requests to the services in a Kubernetes environment, you can use the Rate limit CRD for API security as well. The Rate limit CRD allows you to limit the REST API request to API servers or specific API endpoints on the API servers. It monitors and keeps track of the requests to the API server or endpoints against the allowed limit per time slice and hence protects from attacks such as the DDoS attack.
+
+You can enable logging for observability with the rate limit CRD. Logs are stored on Citrix ADC which can be viewed by checking the logs using the shell command. The file location is based on the syslog configuration. For example, `/var/logs/ns.log`.
 
 ## Rate limit CRD definition
 
-The Rate limit CRD is available in the Citrix ingress controller GitHub repo at: [ratelimit-crd.yaml](https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/crd/ratelimit/ratelimit-crd.yaml). The Rate limit CRD provides [attributes](#ratelimit-crd-attributes) for various options that are required to define the rate limit policies on the Ingress Citrix ADC that acts as an API gateway.
+The Rate limit CRD is available in the Citrix ingress controller GitHub repo at: [ratelimit-crd.yaml](https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/crd/ratelimit/ratelimit-crd.yaml). The **Rate limit CRD provides** [attributes](#ratelimit-crd-attributes) for the various options that are required to define the rate limit policies on the Ingress Citrix ADC that acts as an API gateway.
 
 The following is the Rate limit CRD definition ([ratelimit-crd.yaml](https://raw.githubusercontent.com/citrix/citrix-k8s-ingress-controller/master/crd/ratelimit/ratelimit-crd.yaml)):
 
@@ -25,17 +27,6 @@ spec:
     plural: ratelimits
     singular: ratelimit
   scope: Namespaced
-  subresources:
-    status: {}
-  additionalPrinterColumns:
-    - name: Status
-      type: string
-      description: "Current Status of the CRD"
-      JSONPath: .status.state
-    - name: Message
-      type: string
-      description: "Status Message"
-      JSONPath: .status.status_message
   validation:
     openAPIV3Schema:
       properties:
@@ -76,7 +67,7 @@ spec:
               description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds'
               type: integer
             limittype:
-              description: "Burst mode or smooth. Defaults to burst if limittype is not specified"
+              description: "Burst mode or smooth. Defaults to smooth limittype if not specified"
               type: string
               enum: ['BURSTY','SMOOTH']
             throttle_action:
@@ -86,6 +77,19 @@ spec:
             redirect_url:
               type: string
               description: "Redirect-URL"
+            logpackets:
+              description: 'Adds an audit message action.
+                            The action specifies whether to log the message, and to which log.'
+              properties:
+                logexpression:
+                  description: 'Default-syntax expression that defines the format and content of the log message.'
+                  type: string
+                  maxLength: 7991
+                loglevel:
+                  description: 'Audit log level, which specifies the severity level of the log message being generated.'
+                  type: string
+                  enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"]
+              required: [logexpression, loglevel]
           required: [servicenames, req_threshold]
 ```
 
@@ -96,12 +100,15 @@ The following table lists the various attributes provided in the Rate limit CRD:
 | CRD attribute | Description |
 | ---------- | ----------- |
 | `servicename` | The list of Kubernetes services to which you want to apply the rate limit policies. |
-| `selector_keys` | The traffic selector keys that filter the traffic to identify the API requests against which the throttling is applied and monitored. </br> </br>**Note:** The `selector_keys` is an optional attribute. You can choose to configure zero, one or more of the selector keys. If more than one selector keys are configured then it is considered as a logical AND expression.</br></br> In this version of the Rate limit CRD, `selector_keys` provides `basic` configuration section that you can use to configure the following commonly used traffic characteristics as the keys against which the configured limits are monitored and throttled:</br></br> - **path:** An array of URL path prefixes that refer to a specific API endpoint. For example, `/api/v1/products/` </br> - **method:** An array of HTTP methods. Allowed values are GET, PUT, POST, or DELETE. </br> - **header_name:** HTTP header that has the unique API client or user identifier. For example, `X-apikey` which comes with unique API-key that identifies the API client sending the request. </br>- **per_client_ip:** Allows you to monitor and apply the configured threshold to each API request received per unique client IP address. |
+| `selector_keys` | The traffic selector keys that filter the traffic to identify the API requests against which the throttling is applied and monitored. </br> </br>**Note:** The `selector_keys` is an optional attribute. You can choose to configure zero, one or more of the selector keys. If more than one selector keys are configured then it is considered as a logical AND expression.</br></br> In this version of the Rate limit CRD, `selector_keys` provides the `basic` configuration section that you can use to configure the following commonly used traffic characteristics as the keys against which the configured limits are monitored and throttled:</br></br> - **path:** An array of URL path prefixes that refer to a specific API endpoint. For example, `/api/v1/products/` </br> - **method:** An array of HTTP methods. Allowed values are GET, PUT, POST, or DELETE. </br> - **header_name:** HTTP header that has the unique API client or user identifier. For example, `X-apikey` which comes with a unique API-key that identifies the API client sending the request. </br>- **per_client_ip:** Allows you to monitor and apply the configured threshold to each API request received per unique client IP address. |
 | `req_threshold` | The maximum number of requests that are allowed in the given time slice (request rate). |
 | `timeslice` | The time interval specified in microseconds (multiple of 10 s), during which the requests are monitored against the configured limits. If not specified it defaults to 1000 milliseconds. |
-| `limittype` | It allows you to configure the following type of throttling algorithms that you want to use to apply the limit: </br> - burst </br> - smooth </br> The default is ***burst*** mode.
-| `throttle_action` | It allows you to define the throttle action that needs to be taken on the traffic that's throttled for crossing the configured threshold. </br></br> The following are the throttle action that you can define: </br> - **DROP:** Drops the requests above the configured traffic limits. </br>- **RESET:** Resets the connection for the requests crossing configured limit. </br> - **REDIRECT:** Redirects the traffic to the configured `redirect_url`. </br> - **RESPOND:** Responds with the standard "***429 Too many requests***" response. |
-| `redirect_url` | This is an optional attribute that is required only if `throttle_action` is configured with the value `REDIRECT`. |
+| `limittype` | It allows you to configure the following type of throttling algorithms that you want to use to apply the limit: </br> - burst </br> - smooth.  The default is the ***burst*** mode.
+| `throttle_action` | It allows you to define the throttle action that needs to be taken on the traffic that's throttled for crossing the configured threshold. </br></br> The following are the throttle action that you can define: </br> - **DROP:** Drops the requests above the configured traffic limits. </br>- **RESET:** Resets the connection for the requests crossing the configured limit. </br> - **REDIRECT:** Redirects the traffic to the configured `redirect_url`. </br> - **RESPOND:** Responds with the standard "***429 Too many requests***" response. |
+| `redirect_url` | This attribute is an optional attribute that is required only if `throttle_action` is configured with the value `REDIRECT`. |
+| `logpackets` | Enables audit logs. |
+| `logexpression` | Specifies the default-syntax expression that defines the format and content of the log message. |
+| `loglevel` | Specifies the severity level of the log message that is generated. |
 
 ## Deploy the Rate limit CRD
 
@@ -153,11 +160,14 @@ spec:
   req_threshold: 15
   timeslice: 60000
   throttle_action: "RESPOND"
+  logpackets:
+    logexpression: "http.req.url"
+    loglevel: "INFORMATIONAL"
 ```
 
 >**Note:**
 >
-> You can initiate multiple Kubernetes objects for different paths that require different ratelimit configurations.
+> You can initiate multiple Kubernetes objects for different paths that require different rate limit configurations.
 
 After you have defined the policy configuration, deploy the `.yaml` file using the following command:
 
@@ -168,7 +178,7 @@ The Citrix ingress controller applies the policy configuration on the Ingress Ci
 
 #### Limit API requests to calender APIs
 
-Consider a scenario wherein you want to define a rate-based policy in Citrix ADC to limit the API requests (GET or POST) to 5 requests from each API client identified using HTTP header `X-API-Key` to the calender APIs. Create a `.yaml` file called `ratelimit-example2.yaml` and use the appropriate CRD attributes to define the rate-based policy as follows:
+Consider a scenario wherein you want to define a rate-based policy in a Citrix ADC to limit the API requests (GET or POST) to five requests from each API client identified using the HTTP header `X-API-Key` to the calender APIs. Create a `.yaml` file called `ratelimit-example2.yaml` and use the appropriate CRD attributes to define the rate-based policy as follows:
 
 ```yml
 apiVersion: citrix.com/v1beta1
@@ -188,6 +198,9 @@ spec:
       header_name: "X-API-Key"
   req_threshold: 5
   throttle_action: "RESPOND"
+  logpackets:
+    logexpression: "rate exceeded, you may want to configure higher limit"
+    loglevel: "INFORMATIONAL"
 ```
 
 After you have defined the policy configuration, deploy the `.yaml` file using the following command: