Categorygithub.com/netscaler/netscaler-xds-adaptor
repository
1.2.1-beta
Repository: https://github.com/netscaler/netscaler-xds-adaptor.git
Documentation: pkg.go.dev
Overview
Dependencies
0
Dependents
0

# Packages

No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author

# README

Citrix Logo

Citrix ADC integration with Istio

Docker Repository on Quay License GitHub issues GitHub stars HitCount

Description

This repository contains various integrations of Citrix ADC with Istio 1.3.0.

Table of Contents

  1. Introduction
  2. Citrix ADC as an Ingress Gateway for Istio
  3. Citrix ADC as a Sidecar Proxy for Istio
  4. Architecture
  5. Deployment Options
  6. Features
  7. Example: Deploying Bookinfo with Citrix ADC
  8. Blogs
  9. Release Notes
  10. Contributions
  11. Questions
  12. Issues
  13. Code of Conduct
  14. Licensing

Introduction

A service mesh is an infrastructure layer that handles communication between microservices and provides capabilities like service discovery, load balancing, security, and monitoring. Istio is an open source and platform-independent service mesh that connects, monitors, and secures microservices. Citrix ADC has advanced traffic management capabilities for enhancing application performance and provides comprehensive security. Citrix ADC integrations with Istio allow you to secure and optimize traffic for applications in the service mesh using Citrix ADC features.

Citrix ADC can be integrated with Istio in two ways:

  • Citrix ADC CPX, MPX, or VPX as an Istio Ingress Gateway to the service mesh.
  • Citrix ADC CPX as a sidecar proxy with application containers in the service mesh. Both modes can be combined to have a unified data plane solution.

Citrix ADC as an Ingress Gateway for Istio

An Istio ingress gateway acts as an entry point for the incoming traffic and secures and controls access to the service mesh from outside. It also performs routing and load balancing. Citrix ADC CPX, MPX, or VPX can be deployed as an ingress gateway to the Istio service mesh.

Citrix ADC as a Sidecar Proxy for Istio

In Istio service mesh, a sidecar proxy runs alongside application pods and it intercepts and manages incoming and outgoing traffic for applications. Citrix ADC CPX can be deployed as the sidecar proxy in application pods. A sidecar proxy applies the configured routing policies or rules to the ingress and egress traffic from the pod. This Citrix ADC CPX is designed to consume less resources.

Architecture

For detailed information on the integration of Citrix ADC with Istio Servicemesh, see Architecture. The primary component that enables the integration is istio-adaptor. istio-adaptor translates xDS API calls from the Istio control plane into NITRO API calls to the Citrix ADC.

Deployment Options

In Istio service mesh, Citrix ADC can act as an Ingress and/or sidecar proxy in the data plane. Citrix ADC can act as an Ingress Gateway for services deployed with or without sidecar (sidecar can be Citrix CPX or Envoy). Below table gives a glimpse about working combinations of Citrix ADC and Envoy proxy.

Ingress GatewaySidecar ProxySupported
Citrix ADCCitrix ADC CPXYes
Citrix ADCEnvoyproxyYes
EnvoyproxyCitrix ADC CPXYes

To deploy Citrix ADC with Istio using Helm charts, see the following links:

Features

Features supported on Citrix ADC in Istio Servicemesh can be broadly categorized in below sections.

  1. Traffic Management
  2. Security
  3. Observability

Traffic Management

Citrix ADC supports following traffic management features in Istio.

  • Service discovery
  • Load balancing
  • Secure Ingress
  • Weighted clusters
  • HTTP rewrite
  • HTTP redirect
  • HTTP fault injection

Security

SSL/TLS Certificates required for applications are maintained and managed by Citadel in Istio control plane. Few important features supported on Citrix ADC are:

Authentication policy

  • End user authentication or origin authentication using JWT authentication
  • Transport authentication or service-to-service authentication using mutual TLS

Monitoring of Istio certificates and keys

Istio-adaptor monitors the folder where Istio deploys certificates and keys for mutual TLS authentication between Citrix ADC proxies. After an update of certificate and key, Istio-adaptor loads the new certificate and key to Citrix ADC.

Observability

When a service is deployed in the mesh, users are interested in getting insights about service behaviour. Citrix ADC proxy provides a rich set of in-built metrics. When Citrix ADC CPX is deployed as a sidecar, these metrics will represent telemetry data for an application. It helps in reducing the burden of an application developer to program lots of instrumentation code in the application, and instead she can focus on the core application logic.

Citrix has built couple of auxiliary tools such as Citrix ADC Metrics Exporter and Citrix Observability Exporter which help in exporting metrics and/or transactional data to observability tools such as Prometheus, Zipkin, Kafta etc.

Statistical data of Citrix ADC Ingress device can be exported to the Prometheus using Citrix ADC Metrics Exporter.

Citrix Observability Exporter (COE) is a microservice designed to collect metrics from Citrix ADCs, and export to observability tools such as Zipkin, Kafka, Prometheus etc. To know more about COE, kindly refer this link.

Telemetry in Ingress Gateway

Prometheus is usually already installed as a part of Istio package. By default, Citrix ADC Metrics Exporter is also deployed along with Citrix ADC Ingress Gateway. Citrix ADC Metrics Exporter fetches statistical data from Citrix ADC and exports it to Prometheus running in Istio service mesh. When you add Prometheus as a data source in Grafana, you can visualize this statistical data in the Grafana dashboard.

Telemetry and Distributed Tracing in Sidecar proxies

Citrix ADC CPX in conjunction with the Citrix Observability Exporter (COE) can export metrics to Prometheus deployed in Istio service mesh. This data can also be visualized in Grafana.

Citrix ADC CPX sends transactional data to COE which eventually exports these trace spans to Zipkin. This distributed tracing enables users to track a service to service communication within a mesh. It helps in getting deeper understanding about request latency, serialization and parallelism via visualization.

The detailed list of fields supported on Citrix ADC as per the Istio CRDs (Destination Rule, Virtual Service, Policy, Gateway, Service Entry) can be found here.

Example: Deploying Bookinfo with Citrix ADC

Follow this link to deploy Bookinfo application with Citrix ADC acting as an Istio Ingress Gateway and Citrix ADC CPX as sidecar in application pods.

Blogs

  1. Citrix ADC as an Istio Ingress Gateway: Part 1 Deployment
  2. Citrix ADC as an Istio Ingress Gateway: Part 2 Configuration
  3. Citrix ADC in OpenShift Service Mesh
  4. Traffic Mirroring: Risk-free app upgrades in Istio with Citrix ADC
  5. End-user authentication in Istio Service Mesh with Citrix

Release Notes

Click here for the release notes of the latest Citrix istio-adaptor.

Contributions

Contributions are always welcome! Please read the Developer Guide.

Questions

For questions and support, the following channels are available:

To request an invitation to participate in the Slack channel, provide your email address using this form: https://podio.com/webforms/22979270/1633242

Issues

Please report issues in detail. Use the following command to collect the logs:

Get Logs: kubectl logs <podname> -c istio-adaptor -n <namespace> > log_file

Code of Conduct

This project adheres to the Kubernetes Community Code of Conduct. By participating in this project, you agree to abide by its terms.

Licensing

citrix-istio-adaptor is licensed with Apache License 2.0