citrix-xds-adaptor
The current release of the Citrix xDS-adaptor is compatible with xDS servers based on go-control-plane:v0.10.3
The current release of the Citrix xDS-adaptor is compatible with Istio v1.14 onwards. This version of Citrix xDS-Adaptor is also backward compatible with Istio v1.10 onwards.
Earlier versions of Citrix xDS-Adaptor support Traffic Shifting for HTTP based clusters. With the current release, this support is now also extended for TCP based clusters.
Traditionally, when a listener resource on port 443 is received from xDS server, Citrix xDS-Adaptor creates a SSL type vserver for port 443. This behaviour is true even if the protocol type is mentioned TCP in the Gateway CRD. With the current release, an environment variable DEFAULT_SSL_LISTENER_ON_443 is provided that can modify the behaviour. If DEFAULT_SSL_LISTENER_ON_443 is set to true(default mode), then SSL type vserver will always be created for listener 0.0.0.0:443 irrespective of the absence of tlsContext. If DEFAULT_SSL_LISTENER_ON_443 is set to false, then the provided protocol type will be used to create vserver.
The current release of the Citrix xDS-adaptor is compatible with xDS servers based on go-control-plane:v0.10.1.
The current release of the Citrix xDS-adaptor is compatible with Istio v1.12.
Citrix xDS-Adaptor is enhanced with the functionality to push labels of the pod to Citrix ADC appliances running with 13.1+ builds. Observability tools can make use of this feature in improving the observability of the mesh.
The following issues are fixed in this release:
• In Istio v1.12, creation of Istio gateway resource with labelSelector was not pushing listener resources in LDS message to xDS-adaptor.
• In multicluster servicemesh, deletion of multiCluster gateway on default port 15443 was not leading to removal of respective CS vserver from the Citrix ADC.
The current release of the Citrix xDS-adaptor is compatible with xDS servers based on go-control-plane:v0.9.9.
The current release of the Citrix xDS-adaptor is compatible with Istio v1.10 onwards. Older versions had an issue in retrieving TLS certificate details from the xDS resources in Istio v1.10.
The following issues are fixed in this release:
• Endpoint for inbound cluster was not getting configured properly in Istio v1.10+.
• Root certificate details were not obtained from CertificateValidationContext properly.
• The watcher that monitors the folder was not being removed while removing the certificate key from Citrix ADC.
The following is the known issue in this release:
It has been observed sometimes certificate that is used for mTLS is getting cleared when configuration from xDS server is dumped again.
Starting with this release, you can set log level for xDS-adaptor log messages by specifying the desired value. Log can be printed in JSON format.
Go-Nitro is replaced by the Citrix’s official adc-nitro-go for configuring Citrix ADC, starting with this release.
The following issues are fixed in this release:
The following is the known issue in this release:
Earlier if multiple Citrix xDS-Adaptors in gateway mode were deployed in different namespaces of the servicemesh, and multiple xDS-adaptors configure the same Citrix ADC device, there used to be conflicts in configuration on Citrix ADC VPX/MPX. It used to happen as the name of frontend CS vserver and associated ADC config entities were created using listener name only. This could lead to name conflicts in ADC config.
Starting this release, when Citrix xDS-Adaptor is deployed in gateway mode, name of the frontend CS vserver generated by Citrix xDS-Adaptor includes unique vserver IP(VIP) provided to xDS-Adaptor in addition to listener name provided by xDS-server. This change ensures flawless deployment of multiple ingress/egress gateway pods in the same or different clusters and all pods configuring the same Citrix ADC device.
The following issues are fixed in this release:
• Ingress/egress gateway pods can be deployed in namespaces labelled for CPX sidecar injection.
• Config optimization in gateway mode: Earlier Citrix ADC was configured for all clusters resources (CDS) in the mesh. This release ensures only relevant CDS resources are processed to configure Citrix ADC appropriately.
• SSL handshake failure between Citrix ADC ingress device and mTLS enabled services: If multiple mTLS enabled services were deployed in the mesh and exposed the same using Citrix ADC VPX/MPX ingress gateway, then sometimes there used to be SSL handshake failure between ingress device and sidecar CPX of the service.
This version of Citrix ADC xDS-adaptor supports version 3 of xDS APIs and is compatible with go-control-plane:0.9.8. It enables Citrix ADC xDS-adaptor to be deployed in data plane of Istio v1.9.
Below issue is fixed in this release:
You can deploy Citrix ADC form factors CPX, VPX, and/or MPX as ingress gateway in an Istio service mesh spanning across multiple Kubernetes clusters. Istio multi-cluster service mesh with the Citrix ADC form factor as ingress gateway enables multi-cluster East-West communication between workloads running in one cluster to workloads running in another cluster.
Follow this for sample example to deploy Citrix ADC as Ingress gateway in multi-cluster Istio service mesh
The Citrix ADC as an egress gateway performs load balancing, monitoring at the edge of the mesh and provides routing rules to exit the mesh. Citrix ADC as egress gateway controls egress traffic and defines the traffic exit point in the Istio service mesh. You can deploy Citrix ADC VPX/MPX as an Egress Gateway in Istio using the Helm charts.
A sample deployment of Citrix ADC as an Egress gateway to excess external services is provided here.
The following issues are fixed in this release:
• Errors while generating the certificate due to the time mismatch between the CA and the xDS-adaptor.
• Rotated certificate was not reflected in Citrix ADC.
• Inbound virtual server was created with the SSL type even after disabling mTLS.
• No option to wait for certificate-generation to establish a secure connection with Istiod.
• The first NITRO call was failing after a long lived session.
Citrix xDS-adaptor is a non-Envoy xDS client that converts xDS API (data plane API) into an equivalent Citrix ADC configuration. The xDS-adaptor is a container that connects to an xDS API server such as Istiod, listens to updates, and configures a Citrix ADC. It enables Citrix ADC to integrate with different service meshes such as Istio.
The xDS-adaptor enables organizations to deploy their existing ADC appliances into Kubernetes environments and supports different versions of the xDS API. This release of xDS-adaptor is compatible with go-control-plane v0.9.5.
An Egress Gateway controls egress traffic and defines the traffic exit point in the Istio service mesh. Citrix ADC CPX as an Egress Gateway performs load balancing and monitoring at the edge of the service mesh and provides routing rules to exit the mesh. You can deploy Citrix ADC CPX as an Egress Gateway in Istio using the Helm charts.
A sample deployment of Citrix ADC as an Egress gateway to excess external services is provided here.
The xDS-adaptor supports Istio 1.6.4 and helps in integrating Citrix ADC with Istio and other service meshes.
Citrix ADC as a sidecar-proxy, an Ingress Gateway, or an Egress Gateway requires a TLS certificate-key pair for establishing secure communication channel with back end applications. Earlier, Istio Citadel is used to issue certificates and bundle them into a Kubernetes secret. Certificate was loaded in the application pod by performing the volume mount of the secret. Now, xDS-adaptor can generate its own certificate and get it signed by the Istio Citadel (Istiod). This process eliminates the need of the secret and the associated risks.