Merge pull request #322 from citrix/docs

Docs

Author: sreejithgs

crd/auth/README.md

@@ -2,7 +2,7 @@
 
 Authentication and authorization policies are used to enforce access restrictions to the resources hosted by an application or API server. While you can verify the identity using the authentication policies, authorization policies are used to verify whether a specified request has the necessary permissions to access a resource.
 
-Citrix provides a Kubernetes [CustomResourceDefinitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) (CRDs) called the **Auth CRD** that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC.
+Citrix provides a Kubernetes [CustomResourceDefinition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) (CRD) called the **Auth CRD** that you can use with the Citrix ingress controller to define authentication policies on the ingress Citrix ADC.
 
 ## Auth CRD definition
 
@@ -200,6 +200,7 @@ spec:
             - servicenames
 ```
 
+
 ## Auth CRD attributes
 
 The Auth CRD provides the following attributes that you use to define the authentication policies:
@@ -367,21 +368,22 @@ spec:
               - '/customers/'
             method: [POST]
             claims: 
-            - name: "scope"
-              values: ["read", "write"]
+             - name: "scope"
+               values: ["read", "write"]
 
         - resource:
             path:
               - '/reviews'
             claims: 
-            - name: "scope"
-              values: ["read"]
+             - name: "scope"
+               values: ["read"]
         - resource:
             path:
               - '/products/'
             method: [GET]
             claims: []
-    
+
+
 ```
 
 The sample authentication policy performs the following:
@@ -395,10 +397,11 @@ The sample authentication policy performs the following:
 -  The Citrix ADC performs the oAuth JWT verification as specified in the provider `jwt-auth-provider` for the requests to the **reviews** endpoint.
 
 -  The Citrix ADC performs the oAuth introspection as specified in the provider `introspect-provider` for the requests to the **customers** endpoint.
-
+  
 -  The Citrix ADC requires the `scope` claim with `read` and `write` permissions to access the **customers** endpoint and **POST**.
 
--  The Citrix ADC does not need any authorization permissions to access the **products** endpoint with GET operation.  
+-  The Citrix ADC does not need any authorization permissions to access the **products** endpoint with GET operation.
+
 
 For oAuth, if the token is present in a custom header, it can be specified using the `token_in_hdr` attribute as follows:
 

docs/configure/annotations.md

@@ -87,6 +87,7 @@ In service annotations, `index` is the ordered index of the ports in a service s
 | `service.citrix.com/ssl-ca-certificate-data-<index>` | Use this annotation to specify the server CA certificate value to verify the client certificate in PEM format.| service.citrix.com/ssl-ca-certificate-data-0: \| <`certificate`> |
 |`service.citrix.com/ssl-backend-ca-certificate-data-<index>`| Use this annotation to specify the CA certificate value to verify the server certificate of the back-end in PEM format.| service.citrix.com/ssl-backend-ca-certificate-data-0: \| <`certificate`> |
 | `service.citrix.com/ssl-termination-<index>` | Use this annotation to specify the SSL termination. The accepted values are `EDGE` and `REENCRYPT`.  | service.citrix.com/ssl-termination-0: 'EDGE' |
+| `service.citrix.com/insecure-redirect` | Use this annotation to redirect insecure traffic to a secure port. You can either specify the secure port using {`secure-portname` : `port-number`} or {`secure-portnumber`- `secure-port-protocol` : `insecure-portnumber` } to redirect traffic from an insecure port.  | service.citrix.com/insecure-redirect: '{"port-443": 80 }'  <br> or <br> service.citrix.com/insecure-redirect: '{"443-tcp": 80 }' |
 | `service.citrix.com/frontend-ip` | Use this annotation to pass the VIP for services of type `LoadBalancer`.|service.citrix.com/frontend-ip: "192.168.1.1" |
 | `service.citrix.com/ipam-range` | Use this annotation to select a particular IP address range from a set of ranges specified to the Citrix IPAM controller. This annotation is used for services of type LoadBalancer.|service.citrix.com/ipam-range: "Dev"|
 | `service.citrix.com/secret` | Use this annotation to specify the name of the secret resource for the front-end server certificate.| service.citrix.com/secret: "hotdrink-secret" |
@@ -98,6 +99,39 @@ In service annotations, `index` is the ordered index of the ports in a service s
 |`service.citrix.com/preconfigured-backend-certkey` |Use this annotation to specify the name of the preconfigured certificate key in the Citrix ADC to be bound to the back-end SSL service group. This certificate is sent to the server during the SSL handshake for server authentication. | service.citrix.com/preconfigured-ca-certkey: 'coffee-ca-cert'|
 |`service.citrix.com/preconfigured-backend-ca-certkey` |Use this annotation to specify the name of the preconfigured CA certificate key in the Citrix ADC to bound to the back-end SSL service group for server authentication.|service.citrix.com/preconfigured-backend-ca-certkey: 'coffee-ca-cert' |
 
+### Sample YAML with the service annotation to redirect insecure traffic
+
+This example shows how to redirect traffic from clients making requests on an insecure port 80 to the secure port 443.
+
+The following annotation is specified in the service YAML file to redirect traffic:
+
+    service.citrix.com/insecure-redirect: '{"port-443": 80}'
+
+Following is a sample service definition:
+
+```yml
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend-service
+  annotations:
+    service.citrix.com/service-type-0: SSL
+    service.citrix.com/frontend-ip: '192.2.170.26'
+    service.citrix.com/secret: '{"port-443": "web-ingress-secret"}'
+    service.citrix.com/ssl-termination-0: "EDGE"
+    service.citrix.com/insecure-redirect: '{"port-443": 80}'
+spec:
+  type: LoadBalancer
+  selector:
+    app: frontend
+  ports:
+  - port: 443
+    targetPort: 80
+    name: port-443
+
+```
+
 ## Smart annotations for services
 
 Smart annotations for services are used to configure the Citrix ADC with custom values for Citrix ADC configuration parameters. The annotations are used for services of type `LoadBalancer` and for the services in Citrix ADC CPX used for East-West traffic.

docs/configure/cpx-bgp-router/configmap-example.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+  labels:
+    app: cic
+data:
+  NS_BGP_CONFIG: |
+    bgpConfig:
+    - bgpRouter:
+        localAS: 100
+        neighbor:
+        - address: 10.102.33.33
+          remoteAS: 100
+          advertisementInterval: 30
+          ASOriginationInterval: 30

docs/configure/cpx-bgp-router/configmap-nodeselector-example.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+  labels:
+    app: cic
+data:
+  NS_BGP_CONFIG: |
+    bgpConfig:
+    - nodeSelector: datacenter=ds1
+      bgpRouter:
+        localAS: 100
+        neighbor:
+        - address: 10.102.33.44
+          remoteAS: 100
+          advertisementInterval: 30
+          ASOriginationInterval: 30
+    - nodeSelector: datacenter=ds2
+      bgpRouter:
+        localAS: 100
+        neighbor:
+        - address: 10.102.28.12
+          remoteAS: 100
+          advertisementInterval: 30
+          ASOriginationInterval: 30
+

docs/configure/cpx-bgp-router/ingress-example.yaml

@@ -0,0 +1,13 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: kuard
+spec:
+  rules:
+  - host: kuard.example.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: kuard
+          servicePort: 80 

docs/configure/cpx-bgp-router/rbac.yaml

@@ -0,0 +1,66 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: cpx-ingress-k8s-role
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints", "ingresses", "pods", "secrets", "nodes", "routes", "namespaces", "configmaps"]
+    verbs: ["get", "list", "watch"]
+  # services/status is needed to update the loadbalancer IP in service status for integrating
+  # service of type LoadBalancer with external-dns
+  - apiGroups: [""]
+    resources: ["services/status"]
+    verbs: ["patch"]
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses", "ingresses/status"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["citrix.com"]
+    resources: ["rewritepolicies", "canarycrds", "authpolicies", "ratelimits", "listeners", "httproutes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["citrix.com"]
+    resources: ["rewritepolicies/status", "canarycrds/status", "ratelimits/status", "authpolicies/status", "listeners/status", "httproutes/status"]
+    verbs: ["get", "list", "patch"]
+  - apiGroups: ["citrix.com"]
+    resources: ["vips"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["route.openshift.io"]
+    resources: ["routes"]
+    verbs: ["get", "list", "watch"]
+
+---
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: cpx-ingress-k8s-role
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cpx-ingress-k8s-role
+subjects:
+- kind: ServiceAccount
+  name: cpx-ingress-k8s-role
+  namespace: default
+apiVersion: rbac.authorization.k8s.io/v1
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cpx-ingress-k8s-role
+  namespace: default
+
+---

docs/configure/cpx-bgp-router/service-example.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kuard-service
+  annotations:
+    # This uses IPAM to allocate an IP from range 'Dev'
+    # service.citrix.com/ipam-range: 'Dev'
+    service.citrix.com/frontend-ip: 172.217.163.17
+    service.citrix.com/service-type-0: 'HTTP'
+    service.citrix.com/service-type-1: 'SSL'
+    service.citrix.com/lbvserver: '{"80-tcp":{"lbmethod":"ROUNDROBIN"}}'
+    service.citrix.com/servicegroup: '{"80-tcp":{"usip":"yes"}}'
+    service.citrix.com/ssl-termination: edge
+    service.citrix.com/monitor: '{"80-tcp":{"type":"http"}}'
+    service.citrix.com/frontend-httpprofile: '{"dropinvalreqs":"enabled", "websocket" : "enabled"}'
+    service.citrix.com/backend-httpprofile: '{"dropinvalreqs":"enabled", "websocket" : "enabled"}'
+    service.citrix.com/frontend-tcpprofile: '{"ws":"enabled", "sack" : "enabled"}'
+    service.citrix.com/backend-tcpprofile: '{"ws":"enabled", "sack" : "enabled"}'
+    service.citrix.com/frontend-sslprofile: '{"hsts":"enabled", "tls12" : "enabled"}'
+    service.citrix.com/backend-sslprofile: '{"tls12" : "enabled"}
+    service.citrix.com/ssl-certificate-data-1: |
+      -----BEGIN CERTIFICATE-----
+      #redacted certificate
+      -----END CERTIFICATE-----
+    service.citrix.com/ssl-key-data-1: |
+      -----BEGIN RSA PRIVATE KEY-----
+      #redacted certificate
+      -----END RSA PRIVATE KEY-----
+spec:
+  type: LoadBalancer
+  selector:
+    app: kuard
+  ports:
+  - port: 80
+    targetPort: 8080
+    name: http
+  - port: 443
+    targetPort: 8443
+    name: https
+