Merge pull request #686 from arijitr-citrix/master

Adding WAF CRD changes

Author: subashd

crd/nsic-crds.yaml

@@ -1808,6 +1808,28 @@ spec:
                     items:
                       type: string
                       description: "header name"
+              exclude:
+                description: 'To control what traffic to be excluded by Web Application Firewall. If you do not provide the exclude list, nothing will be skipped by default explicitly'
+                type: object
+                properties:
+                  path:
+                    type: array
+                    description: "List of http urls to exclude"
+                    items:
+                      type: string
+                      description: "URL path"
+                  method:
+                    type: array
+                    description: "List of http methods to exclude"
+                    items:
+                      type: string
+                      enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD']
+                  header:
+                    type: array
+                    description: "List of http headers to exclude"
+                    items:
+                      type: string
+                      description: "header name"
               security_checks:
                 description: 'To enable/disable application firewall security checks'
                 type: object

crd/waf/waf-crd.yaml

@@ -95,6 +95,28 @@ spec:
                     items:
                       type: string
                       description: "header name"
+              exclude:
+                description: 'To control what traffic to be excluded by Web Application Firewall. If you do not provide the exclude list, nothing will be skipped by default explicitly'
+                type: object
+                properties:
+                  path:
+                    type: array
+                    description: "List of http urls to exclude"
+                    items:
+                      type: string
+                      description: "URL path"
+                  method:
+                    type: array
+                    description: "List of http methods to exclude"
+                    items:
+                      type: string
+                      enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT', 'UNKNOWN_METHOD']
+                  header:
+                    type: array
+                    description: "List of http headers to exclude"
+                    items:
+                      type: string
+                      description: "header name"
               security_checks:
                 description: 'To enable/disable application firewall security checks'
                 type: object

deployment/baremetal/citrix-k8s-cpx-ingress.yml

@@ -0,0 +1,176 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cpx-ingress-k8s-role
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints", "ingresses", "pods", "secrets", "nodes", "routes", "namespaces", "configmaps", "services"]
+    verbs: ["get", "list", "watch"]
+  # services/status is needed to update the loadbalancer IP in service status for integrating
+  # service of type LoadBalancer with external-dns
+  - apiGroups: [""]
+    resources: ["services/status"]
+    verbs: ["patch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses", "ingresses/status"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses", "ingresses/status", "ingressclasses"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["citrix.com"]
+    resources: ["rewritepolicies", "authpolicies", "ratelimits", "listeners", "httproutes", "continuousdeployments", "apigatewaypolicies", "wafs", "bots", "wildcarddnsentries"]
+    verbs: ["get", "list", "watch", "create", "delete", "patch"]
+  - apiGroups: ["citrix.com"]
+    resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "wildcarddnsentries/status"]
+    verbs: ["patch"]
+  - apiGroups: ["citrix.com"]
+    resources: ["vips"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["route.openshift.io"]
+    resources: ["routes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["config.openshift.io"]
+    resources: ["networks"]
+    verbs: ["get", "list"]
+  - apiGroups: ["network.openshift.io"]
+    resources: ["hostsubnets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["crd.projectcalico.org"]
+    resources: ["ipamblocks"]
+    verbs: ["get", "list", "watch"]
+
+---
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cpx-ingress-k8s-role
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cpx-ingress-k8s-role
+subjects:
+- kind: ServiceAccount
+  name: cpx-ingress-k8s-role
+  namespace: default
+apiVersion: rbac.authorization.k8s.io/v1
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cpx-ingress-k8s-role
+  namespace: default
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cpx-ingress
+  labels:
+    name: cpx-ingress
+    app: cpx-ingress
+spec:
+  selector:
+    matchLabels:
+      app: cpx-ingress
+  replicas: 1
+  template:
+    metadata:
+      name: cpx-ingress
+      labels:
+        app: cpx-ingress
+      annotations: null
+    spec:
+      serviceAccountName: cpx-ingress-k8s-role
+      containers:
+        - name: cpx-ingress
+          image: quay.io/netscaler/netscaler-cpx:14.1-38.53
+          tty: true
+          securityContext:
+             privileged: true
+          env:
+          - name: "EULA"
+            value: "yes"
+          - name: "KUBERNETES_TASK_ID"
+            value: ""
+          imagePullPolicy: Always
+          volumeMounts:
+            - mountPath: /var/deviceinfo
+              name: shared-data
+            - mountPath: /cpx/
+              name: cpx-volume
+            - mountPath: /cpx/conf
+              name: cpx-volume-conf
+        # Add cic as a sidecar
+        - name: cic
+          image: quay.io/netscaler/netscaler-k8s-ingress-controller:3.1.34
+          volumeMounts:
+          - mountPath: /var/deviceinfo
+            name: shared-data
+          args:
+          - --ingress-classes
+              citrix
+          env:
+          - name: "EULA"
+            value: "yes"
+          - name: "NS_IP"
+            value: "127.0.0.1"
+          - name: "NS_PROTOCOL"
+            value: "HTTP"
+          - name: "NS_PORT"
+            value: "80"
+          - name: "NS_DEPLOYMENT_MODE"
+            value: "SIDECAR"
+          - name: "NS_ENABLE_MONITORING"
+            value: "YES"
+          - name: "LOGLEVEL"
+            value: "INFO"
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          imagePullPolicy: Always
+      volumes:
+      - name: shared-data
+        emptyDir: {}
+      - name: cpx-volume
+        emptyDir: {}
+      - name: cpx-volume-conf
+        emptyDir: {}
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: cpx-service
+  labels:
+    app: cpx-service
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    protocol: TCP
+    name: http
+  - port: 443
+    protocol: TCP
+    name: https
+  selector:
+    app: cpx-ingress

docs/configure/cpx-bgp-router/citrix-k8s-cpx-ingress.yml

@@ -0,0 +1,112 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  annotations:
+  name: cpx-ingress
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app: cpx-ingress
+  template:
+    metadata:
+      labels:
+        app: cpx-ingress
+      name: cpx-ingress
+    spec:
+      containers:
+      - env:
+        - name: EULA
+          value: "yes"
+        - name: NS_NETMODE
+          value: HOST
+        - name: KUBERNETES_TASK_ID
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        image: quay.io/netscaler/netscaler-cpx:14.1-38.53 
+        imagePullPolicy: Always
+        name: cpx-ingress
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - NET_ADMIN
+          privileged: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /cpx/conf/
+          name: cpx-volume1
+        - mountPath: /cpx/crash/
+          name: cpx-volume2
+        - mountPath: /var/deviceinfo
+          name: shared-data
+      # add Netscaler ingress controller as sidecar to CPX
+      - name: cic
+        args:
+        #- --configmap default/config
+        #- --ipam citrix-ipam-controller
+        - --deployment-type kube-bgp-router
+        securityContext:
+          runAsUser: 0
+          capabilities:
+            add:
+            - NET_ADMIN
+        env:
+        - name: EULA
+          value: "yes"
+        - name: NS_IP
+          value: 192.168.1.2
+        - name: NS_PROTOCOL
+          value: HTTPS
+        - name: NS_PORT
+          value: "9443"
+        - name: NS_DEPLOYMENT_MODE
+          value: SIDECAR
+        - name: NS_ENABLE_MONITORING
+          value: "YES"
+        # This is IP used for ingress resources
+      # - name: NS_VIP
+      #   value: x.x.x.x 
+        - name: LOGLEVEL
+          value: "INFO"
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        image: "quay.io/netscaler/netscaler-k8s-ingress-controller:3.1.34" 
+        imagePullPolicy: Always
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+         - mountPath: /var/deviceinfo
+           name: shared-data
+      hostNetwork: true
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+      restartPolicy: Always
+      securityContext: {}
+      serviceAccount: cpx-ingress-k8s-role
+      serviceAccountName: cpx-ingress-k8s-role
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: cpx-volume1
+      - emptyDir: {}
+        name: cpx-volume2
+      - emptyDir: {}
+        name: shared-data