Merge pull request #478 from citrix/cic-release-1.19

changes for CIC release 1.19.6 and sample configuration files for GitOps

Author: sreejithgs

deployment/baremetal/README.md

@@ -104,7 +104,7 @@ Perform the following steps to deploy the Citrix ingress controller as a stand-a
                                 
          These environment variables define the protocol and port used by the Citrix ingress controller to communicate with the Citrix ADC.
 
-         By default NS_PROTOCOL is HTTP and NS_PORT is 80. Other option is to use HTTPS and port 443.
+         By default NS_PROTOCOL is HTTPS and NS_PORT is 443.
        </details>
        <details>
        <summary>Ingress Class</summary>

deployment/openshift/README.md

@@ -32,12 +32,14 @@ For information on deploying the Citrix ingress controller to control the OpenSh
 
 You can use Citrix ADC for load balancing Openshift control plane (master nodes). Citrix provides a solution to automate the configuration of Citrix ADC using Terraform instead of manually configuring the Citrix ADC. For more information, see [Citrix ADC as a load balancer for the OpenShift control plane](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/deployment/openshift/citrix-adc-for-control-plane/README.md).
 
+**Note:**
+OpenShift support of alternate backends is now supported by Citrix ingress controller. Citrix ADC is configured according to the weights provided in the routes definition and traffic is distributed among the service pods based on those weights.
 
 ## Supported Citrix components on OpenShift
 
 | Citrix components | Versions |
 | ----------------- | -------- |
-| Citrix ingress controller | Latest (1.4.0) |
+| Citrix ingress controller | Latest |
 | Citrix ADC VPX | 12.1 50.x and later |
 | Citrix ADC CPX | 13.0–36.28 |
 
@@ -84,6 +86,8 @@ You can use the [cic.yaml](https://raw.githubusercontent.com/citrix/citrix-k8s-i
 
 **Note:** The Citrix ADC MPX or VPX can be deployed in *[standalone](https://docs.citrix.com/en-us/citrix-adc/12-1/getting-started-with-citrix-adc.html)*, *[high-availability](https://docs.citrix.com/en-us/citrix-adc/12-1/getting-started-with-citrix-adc/configure-ha-first-time.html)*, or *[clustered](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering.html)* modes.
 
+**Note:** In the latest versions of OpenShift when OVN CNI is used, `—feature-node-watch` might not work. In that case, you must manually configure the static routes on Citrix ADC VPX.
+
 ### Prerequisites
 
 -  Determine the IP address needed by the Citrix ingress controller to communicate with the Citrix ADC appliance. The IP address might be any one of the following depending on the type of Citrix ADC deployment:

docs/certificate-management/tls-certificates.md

@@ -59,6 +59,9 @@ The Citrix ingress controller default certificate is used to provide a secret on
 
         --default-ssl-certificate <NAMESPACE>/<SECRET_NAME>
 
+**Note:**
+The Citrix ingress controller default certficate is supported for Openshift routes.
+
 The following is a sample Citrix ingress controller YAML definition file that contains a TLS secret (`hotdrink.secret`) picked from the `ssl` namespace and provided as the Citrix ingress controller default certificate.
 
 !!! note "Note"

docs/configure/profiles.md

@@ -217,6 +217,10 @@ spec:
            - api_key: introspect-auth-provider
 ```
 
+## Sample configuration for deploying Citrix API gateway with GitOps
+
+For a sample configuration for deploying Citrix API gateway with GitOps, see [Sample configuration for deploying Citrix API gateway with GitOps](../../example/git-ops/README.md).
+
 ## Support for web insight based analytics
 
 Web insight based analytics is now supported with the API gateway CRD. When you use GitOps, the following web insight parameters are enabled by default:
@@ -225,4 +229,4 @@ Web insight based analytics is now supported with the API gateway CRD. When you
 - `httpuseragent`
 - `httphost`
 - `httpmethod`
-- `httpcontenttype`  
+- `httpcontenttype` 

docs/deploy/deploy-api-gateway-using-gitops.md

@@ -1,4 +1,4 @@
-b Deploy the Citrix ingress controller as an OpenShift router plug-in
+# Deploy the Citrix ingress controller as an OpenShift router plug-in
 
 In an OpenShift cluster, external clients need a way to access the services provided by pods. OpenShift provides two resources for communicating with services running in the cluster: [routes](https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html) and [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/).
 
@@ -32,12 +32,14 @@ For information on deploying the Citrix ingress controller to control the OpenSh
 
 You can use Citrix ADC for load balancing Openshift control plane (master nodes). Citrix provides a solution to automate the configuration of Citrix ADC using Terraform instead of manually configuring the Citrix ADC. For more information, see [Citrix ADC as a load balancer for the OpenShift control plane](https://github.com/citrix/citrix-k8s-ingress-controller/blob/master/deployment/openshift/citrix-adc-for-control-plane/README.md).
 
+**Note:**
+OpenShift support of alternate backends is now supported by Citrix ingress controller. Citrix ADC is configured according to the weights provided in the routes definition and traffic is distributed among the service pods based on those weights.
 
 ## Supported Citrix components on OpenShift
 
 | Citrix components | Versions |
 | ----------------- | -------- |
-| Citrix ingress controller | Latest (1.4.0) |
+| Citrix ingress controller | Latest  |
 | Citrix ADC VPX | 12.1 50.x and later |
 | Citrix ADC CPX | 13.0–36.28 |
 
@@ -85,6 +87,8 @@ You can use the [cic.yaml](https://raw.githubusercontent.com/citrix/citrix-k8s-i
 
 **Note:** The Citrix ADC MPX or VPX can be deployed in *[standalone](https://docs.citrix.com/en-us/citrix-adc/12-1/getting-started-with-citrix-adc.html)*, *[high-availability](https://docs.citrix.com/en-us/citrix-adc/12-1/getting-started-with-citrix-adc/configure-ha-first-time.html)*, or *[clustered](https://docs.citrix.com/en-us/citrix-adc/12-1/clustering.html)* modes.
 
+**Note:** In the latest versions of OpenShift when OVN CNI is used, `—feature-node-watch` might not work. In that case, you must manually configure the static routes on Citrix ADC VPX.
+
 ### Prerequisites
 
 -  Determine the IP address needed by the Citrix ingress controller to communicate with the Citrix ADC appliance. The IP address might be any one of the following depending on the type of Citrix ADC deployment:

docs/deploy/deploy-cic-openshift.md

@@ -0,0 +1,81 @@
+# Sample configuration for deploying Citrix API gateway with GitOps
+
+This topic provides a sample configuration for deploying Citrix API gateway with GitOps.
+GitOps is supported with the following CRDs for APIs and security information specified in the Swagger files on Git.
+
+ -  rewritepolicy
+
+ -  ratelimit
+
+ -  authpolicy
+
+ -  waf
+
+ -  bot
+
+1. Create a Kubernetes secret with the login information for your Citrix ADC.
+
+        kubectl create secret generic nslogin --from-literal=username=<username> --from-literal=password=<password>
+
+   >**Note:**
+   >Replace `username` and `password` with the login credentials of your Citrix ADC VPX.
+
+1. Deploy Citrix ingress controller and apply CRD definition files through the following Helm commands:
+
+        helm repo add citrix https://citrix.github.io/citrix-helm-charts/
+        helm install cic citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=nslogin,nodeWatch=true,crds.install=true
+    
+    >**Note:**
+    >Replace `NSIP` with Citrix ADC VPX IP address.
+
+     To install a specific version of the Helm chart (for example: 1.18.15), use the following command:
+     
+        helm install cic citrix/citrix-ingress-controller --set nsIP=<NSIP>,license.accept=yes,adcCredentialSecret=nslogin,crds.install=true --version 1.18.5
+
+1. Copy the Swagger files provided in the [SwaggerFiles](./SwaggerFiles) folder to the Git repository.
+
+1. Launch a sample application as a service.
+
+        kubectl apply -f echoserver.yaml 
+
+
+   >**Note**: In this example, [echoserver](./echoserver.yaml) is used as the sample application. This command creates the `echoserver` application as a service.
+
+1. Apply the `rewritepolicy` CRD template file `rewrite-crd-prefixurl-rewrite.yaml` in the [TemplateCRDFiles](./TemplateCRDFiles) folder.
+
+        kubectl apply -f TemplateCRDFiles/rewrite-crd-prefixurl-rewrite.yaml
+
+1. Create Kubernetes secret for the Git credentials.
+
+        kubectl apply -f secret.yaml
+     >**Note:**
+     >Replace the `username` and `password` with appropriate base64 encoded credentials in the s`ecret.yaml` file.
+
+1. Create the API Gateway CRD instance.
+
+        kubectl apply -f api-gateway-crd-instance.yaml
+
+   Update the API gateway CRD instance file (api-gateway-crd-instance.yaml) with the following information:
+
+   - `repository`: Provide the GIT Repository information
+   - `branch`: The branch on the Git repository that needs to be referred.
+   - `files`:  The path of Swagger files to be monitored on Git.
+   - `ipaddress`: Provide the Citrix ADC content switching virtual server VIP IP address (The listener IP address on Citrix ADC).
+   - `port`: Provide the port information for the listener (For HTTP, port 80 and for HTTPS port 443).
+   - `protocol`:  HTTP or HTTPS (If the protocol is HTTPS, then there is a need of certificate information to be provided as a secret).
+
+1. Create a certificate for the Citrix ADC listener if the protocol is HTTPS.
+
+        kubectl create secret tls cert1 --key="cert.key" --cert="cert.crt"
+
+   >**Note:**
+   Replace `cert.key` and `cert.crt`  with the certificates to be used. If the protocol is HTTP, there is no need to create the secret.
+
+1. Based on the protocol selected in the API Gateway CRD, try accessing the application through `http://ipaddress/v2/play/play_api` or `https://ipaddress/v2/play/play_api` URLs .
+
+   >**Note:**
+   Replace `ipaddress` in the URL with the IP address of the Citrix ADC content switching virtual server VIP (the listener IP address on the Citrix ADC). Replace the `play_api` with the API that needs to be accessed (For example: `tennis)`.
+
+1. Try to modify the Swagger file APIs on Git or the template rewritepolicy CRD to evaluate the GitOps functionality.
+
+Similar to the way `rewritepolicy` is used for evaluation, you can validate `Ratelimit`, `Auth`, `WAF`, and `BOT` CRD functionalities by applying the corresponding template CRD shared in the `TemplateCRDFiles` directory.