Skip to content

Add a second client helper to manage local cluster and remote cluster. #638

New issue
New issue
Open
Open
Add a second client helper to manage local cluster and remote cluster.#638
@BobVanB

Description

@BobVanB
BobVanB
opened on Mar 7, 2024

Is your feature request related to a problem? Please describe.

Use a kubernetes_url with kube-token to point to a different cluster.

- name: cic 
  args:
  - --kube-token token-p9dkh:<token>
  env:
  - name: kubernetes_url
    value: https://<remote_url>:6443

This wil give a error that it can't find its own pod. Probably to update a status.

2024-03-07 07:43:35,189  - DEBUG - [singleton.py:__call__:20] (MainThread) Singleton class <class 'triton.kubernetes.kubeeventwriter.podstatusevent.currentpod.CurrentPod'> got created
2024-03-07 07:43:35,258  - ERROR - [clienthelper.py:get:44] (MainThread) Reuqest /pods/<prefix>-citrix-ingress-controller-6498748c7f-jbhdp to the api server is not authorized
2024-03-07 07:43:35,258  - WARNING - [podstatusevent.py:write:78] (MainThread) PodStatusEvent: FAILURE: Getting pod Info: 401 Client Error: Unauthorized for url: https://<remote_url>:6443/api/v1/namespaces/citrix-ingress/pods/<prefix>-citrix-ingress-controller-6498748c7f-jbhdp

These two requests are probably handles by the same instance of clienthelper.py that points to kubernetes_url:

  1. Getting the netscaler resources. IngressClass, Ingress, Waf, etc...
  2. Getting the current CurrentPod

Describe the solution you'd like

Initialize 2 clienthelper.py:

  1. The first one using the local connection details using the serviceAccountName that is connected to the pod.
    https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/#without-using-a-proxy
  2. The second one using the arguments passed by environment variables or arguments. 
    --kube-apiserver
--kube-token
kubernetes_url

Describe alternatives you've considered

There is no other solution provided by Citrix, other than manually adding a CPX to the VPX.
The response was adding a CIC controller and add the entries to the VPX via Ingress.
This CIC can't be on the customer cluster, because of security issues. So it has to be remote and that is not possible because of the above.

Additional context

  • This enables a central citrix ingress controller to manage a remote cluster.
  • This could enable one central citrix ingress controller to manage multiple remote cluster.

Something like this in the helmchart values yaml would be cool:

clusters:
- clusterName: clusterA
  kubernetes_url: https://clusterA:6443
  entityPrefix: clsA
  ...
- clusterName: clusterB 
  kubernetes_url: https://clusterB:6443
  entityPrefix: clsB
  nodeWatch: true
  cncPbr: true
  disableAPIServerCertVerify: true
  ... all remote cluster settings

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions