Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a second client helper to manage local cluster and remote cluster. #638

Open
BobVanB opened this issue Mar 7, 2024 · 0 comments
Open

Add a second client helper to manage local cluster and remote cluster. #638

BobVanB opened this issue Mar 7, 2024 · 0 comments

Comments

@BobVanB
Copy link

BobVanB commented Mar 7, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

Use a kubernetes_url with kube-token to point to a different cluster.

- name: cic 
  args:
  - --kube-token token-p9dkh:<token>
  env:
  - name: kubernetes_url
    value: https://<remote_url>:6443

This wil give a error that it can't find its own pod. Probably to update a status.

2024-03-07 07:43:35,189  - DEBUG - [singleton.py:__call__:20] (MainThread) Singleton class <class 'triton.kubernetes.kubeeventwriter.podstatusevent.currentpod.CurrentPod'> got created
2024-03-07 07:43:35,258  - ERROR - [clienthelper.py:get:44] (MainThread) Reuqest /pods/<prefix>-citrix-ingress-controller-6498748c7f-jbhdp to the api server is not authorized
2024-03-07 07:43:35,258  - WARNING - [podstatusevent.py:write:78] (MainThread) PodStatusEvent: FAILURE: Getting pod Info: 401 Client Error: Unauthorized for url: https://<remote_url>:6443/api/v1/namespaces/citrix-ingress/pods/<prefix>-citrix-ingress-controller-6498748c7f-jbhdp

These two requests are probably handles by the same instance of clienthelper.py that points to kubernetes_url:

  1. Getting the netscaler resources. IngressClass, Ingress, Waf, etc...
  2. Getting the current CurrentPod

Describe the solution you'd like

Initialize 2 clienthelper.py:

  1. The first one using the local connection details using the serviceAccountName that is connected to the pod.
    https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/#without-using-a-proxy
  2. The second one using the arguments passed by environment variables or arguments. 
    --kube-apiserver
--kube-token
kubernetes_url

Describe alternatives you've considered

There is no other solution provided by Citrix, other than manually adding a CPX to the VPX.
The response was adding a CIC controller and add the entries to the VPX via Ingress.
This CIC can't be on the customer cluster, because of security issues. So it has to be remote and that is not possible because of the above.

Additional context

  • This enables a central citrix ingress controller to manage a remote cluster.
  • This could enable one central citrix ingress controller to manage multiple remote cluster.

Something like this in the helmchart values yaml would be cool:

clusters:
- clusterName: clusterA
  kubernetes_url: https://clusterA:6443
  entityPrefix: clsA
  ...
- clusterName: clusterB 
  kubernetes_url: https://clusterB:6443
  entityPrefix: clsB
  nodeWatch: true
  cncPbr: true
  disableAPIServerCertVerify: true
  ... all remote cluster settings
@subashd subashd added enhancement New feature or request and removed enhancement New feature or request labels Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@subashd @BobVanB