In most organizations, Tier 1 Netscaler Ingress devices and Kubernetes clusters are managed by separate teams. The Netscaler ingress controller requires Netscaler credentials such as Netscaler user name and password to configure the Netscaler. Usually, Netscaler credentials are specified as environment variables in the Netscaler ingress controller pod specification. But, another secure option is to use Kubernetes secrets to store the Netscaler credentials.
This topic describes how to use Kubernetes secrets to store the ADC credentials and various ways to provide the credentials stored as secret data for the Netscaler ingress controller.
Perform the following steps to create a Kubernetes secret.
-
Create a file
adc-credential-secret.yaml
which defines a Kubernetes secret YAML with Netscaler user name and password in thedata
section as follows.apiVersion: v1 kind: Secret metadata: name: adc-credential data: username: <ADC user name> password: <ADC password>
-
Apply the
adc-credential-secret.yaml
file to create a secret.kubectl apply -f adc-credential-secret.yaml
Alternatively, you can also create the Kubernetes secret using --from-literal
option of the kubectl
command as shown as follows:
kubectl create secret generic adc-credentials --from-literal=username=<username> --from-literal=password=<password>
Once you have created a Kubernetes secret, you can use one of the following options to use the secret data in the Netscaler ingress controller pod specification.
- Use secret data as environment variables in the Netscaler ingress controller pod specification
- Use a secret volume mount to pass credentials to the Netscaler ingress controller
You can use secret data from the Kubernetes secret as the values for the environment variables in the Netscaler ingress controller deployment specification.
A snippet of the YAML file is shown as follows.
- name: "NS_USER"
valueFrom:
secretKeyRef:
name: adc-credentials
key: username
# Set user password for Nitro
- name: "NS_PASSWORD"
valueFrom:
secretKeyRef:
name: adc-credentials
key: password
Here is an example of the Netscaler ingress controller deployment with value of environment variables sourced from the secret object.
apiVersion: apps/v1
kind: Deployment
metadata:
name: cic-k8s-ingress-controller
spec:
selector:
matchLabels:
app: cic-k8s-ingress-controller
replicas: 1
template:
metadata:
name: cic-k8s-ingress-controller
labels:
app: cic-k8s-ingress-controller
annotations:
spec:
serviceAccountName: cic-k8s-role
containers:
- name: cic-k8s-ingress-controller
image: <image location>
env:
# Set NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)
- name: "NS_IP"
value: "x.x.x.x"
# Set username for Nitro
- name: "NS_USER"
valueFrom:
secretKeyRef:
name: adc-credentials
key: username
# Set user password for Nitro
- name: "NS_PASSWORD"
valueFrom:
secretKeyRef:
name: adc-credentials
key: password
# Set log level
- name: "EULA"
value: "yes"
imagePullPolicy: Always
Alternatively, you can also use a volume mount using the secret object as a source for the Netscaler credentials. The Netscaler ingress controller expects the secret to be mounted at path /etc/citrix
and it looks for the credentials in files username
and password
.
You can create a volume from the secret object and then mount the volume using volumeMounts at /etc/citrix
as shown in the following deployment example.
apiVersion: apps/v1
kind: Deployment
metadata:
name: cic-k8s-ingress-controller
spec:
selector:
matchLabels:
app: cic-k8s-ingress-controller
replicas: 1
template:
metadata:
name: cic-k8s-ingress-controller
labels:
app: cic-k8s-ingress-controller
annotations:
spec:
serviceAccountName: cic-k8s-role
containers:
- name: cic-k8s-ingress-controller
image: <image location>
env:
# Set NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled)
- name: "NS_IP"
value: "x.x.x.x"
# Set log level
- name: "EULA"
value: "yes"
volumeMounts:
# name must match the volume name below
- name: secret-volume
mountPath: /etc/citrix
imagePullPolicy: Always
# The secret data is exposed to Containers in the Pod through a Volume.
volumes:
- name: secret-volume
secret:
secretName: adc-credentials
You can also use the Netscaler credentials stored in a Hashicorp Vault server for the Netscaler ingress controller and push the credentials through a sidecar container. For more information, see Using Netscaler credentials stored in a Vault server.