citrix-xds-adaptor
This release is primarily focused on enhancing the security and ease of deployment of Citrix istio-adaptor.
Earlier, it was mandatory to create a secret comprising of certificate and key before deploying the sidecar injector. Now, init container is developed which generates a certificate signing request(CSR) and get it approved from Kubernetes CA while deploying the Citrix ADC CPX sidecar injector webhook service.
Now, you can configure a delay (in milliseconds) using an HTTP service before forwarding requests to the back-end server. This feature helps in simulating various failures such as network issues and server overload. It is useful for Chaos testing of microservices.
Now Citrix istio-adaptor runs as a non-root user and file system is made as read-only. Hence you can prevent any malicious code from getting permissions in the container host and ensure that your application environment is secure. In addition to this, few vulnerabilities are also addressed to enhance the security of Citrix istio-adaptor.
The following issues are fixed in this release:
• AppFlow logs were not sent from sidecar proxies to the Citrix Observability Exporter(COE).
• Default route information was not retained after Citrix ADC CPX reboots.
• Certificate and key were loaded from the istio.default secret only even when the service has a secret associated with the serviceaccount.
• Endpoints were not pulled from the ADS server due to inadequate handling of the CDS resource.
Traffic mirroring provides a way to minimize the risk in bringing your application changes to production. Instead of routing production traffic to a newly deployed service, you can send a copy of the production traffic to a mirrored service. You can then observe the service that is receiving mirrored traffic for errors.
Citrix istio-adaptor now supports HTTP Traffic Mirroring. [NSNET-13891]
A service entry describes the properties of a service (DNS name, VIPs, ports, protocols, endpoints). Using a weighted service entry, you can associate a load balancing weight with an endpoint. Endpoints with higher weights receive proportionally high traffic compared to endpoints with lower weights.
Citrix istio-adaptor now supports Weighted Service Entries. [NSNET-13514])
Service group configuration on a Citrix ADC appliance requires frequent updates depending on the scale requirements or runtime changes to application servers. You can use desired state API and accept the intended member set for a service group in a single API and effectively update the configuration. Usage of desired state API improves the performance of updating servicegroup members significantly.
Citrix istio-adaptor now supports Desired State APIs. [NSNET-12761]
Now, you can integrate a Citrix ADC deployed as an Istio sidecar with Citrix Observability Exporter. Using Citrix Observability Exporter, you can export metrics and transactions from Citrix ADCs to desired endpoints such as Zipkin and Prometheus and analyze them to get valuable insights. [NSNET-11533]
This release of Citrix istio-adaptor adds support for Red Hat OpenShift Service Mesh which is based on Istio release version 1.1.11.
The following Red Hat OpenShift cluster versions are supported:
Outlier detection is a process to dynamically detect unusual host behavior and remove unhealthy hosts from the set of load balanced healthy hosts inside a cluster. Citrix istio-adaptor now supports HTTP service outlier detection.
JSON Web Token (JWT) is an open standard for securely transmitting information between parties as JSON objects.
The following issues related to the JWT authentication are fixed in this release:
JWTs sent in a custom request header or query parameter were not supported on Citrix ADCs. Now, it is supported on Citrix ADCs except Citrix ADC CPX. [NSAUTH-6176]
Multiple audiences for JWT were not supported. [NSAUTH-6178]
JWT authentication was triggered for all paths in a request ignoring the list of paths specified using includedPaths and excludedPaths to bypass the authentication. [NSAUTH-6247]
The following issues related to Citrix ADC are fixed in this release:
Citrix istio-adaptor requires premium license for Citrix ADC VPX or MPX and stops communication if the license type is not premium. [NSNET-12179]
Citrix ADC VPX or MPX as Ingress Gateway: Uploading certificate and keys for Citrix ADC VPX or MPX fails if old key and certificate with the same name exists in Citrix ADC VPX or MPX. [NSNET-12371]
Citrix istio-adaptor release notes describe the new features, enhancements to existing features, fixed issues, and known issues available in the release. Citrix istio-adaptor is a Citrix solution to configure Citrix ADC as an Ingress Gateway or sidecar proxy or both in Istio Service mesh.
The latest version of Citrix istio-adaptor is available in the Citrix istio-adaptor GitHub repository.
The release notes include one or more of the following sections:
Citrix istio-adaptor now supports Istio release version 1.3.0.
Helm Hub provides a means to easily find charts that are hosted outside the Helm project. Helm charts for Citrix istio-adaptor are now available on Helm Hub.
Outlier detection is a process to dynamically detect unusual host behavior and remove unhealthy hosts from the set of load balanced healthy hosts inside a cluster. Citrix istio-adatptor now supports HTTP service outlier detection.
JSON Web Token (JWT) is an open standard for securely transmitting information between parties as JSON objects.
The following issues related to the JWT authentication are fixed in this release:
JWTs sent in a custom request header or query parameter were not supported on Citrix ADCs. Now, it is supported on Citrix ADCs except Citrix ADC CPX. [NSAUTH-6176]
Multiple audiences for JWT were not supported. [NSAUTH-6178]
JWT authentication was triggered for all paths in a request ignoring the list of paths specified using includedPaths and excludedPaths to bypass the authentication. [NSAUTH-6247]
The following issues related to Citrix ADC are fixed in this release:
Citrix istio-adaptor requires premium license for Citrix ADC VPX or MPX and stops communication if the license type is not premium. [NSNET-12179]
Citrix ADC VPX or MPX as Ingress Gateway: Uploading certificate and keys for Citrix ADC VPX or MPX fails if old key and certificate with the same name exists in Citrix ADC VPX or MPX. [NSNET-12371]
This is the first release of Citrix istio-adaptor. istio-adaptor is Citrix's solution to configure Citrix ADC as an Ingress Gateway and/or sidecar proxy in Istio Service mesh. It acts as a client to gRPC based services in Istio control plane, listens to updates from the Pilot and configures Citrix ADC proxy using NITRO API calls.
Below are features which are supported in this release:
The detailed list of fields supported on Citrix ADC as per the Istio CRDs (Destination Rule, Virtual Service, Policy, Gateway, Service Entry) can be found here.
Multiple audiences for JWT is not supported. [NSAUTH-6178]
JWTs sent in a custom request header or query parameter are not supported in Citrix ADC. [NSAUTH-6176]
JWT authentication happens for all paths. includedPaths and excludedPaths are not supported in Citrix ADC.
[NSAUTH-6247]