netscaler
diff --git a/‎README.md‎
Lines changed: 9 additions & 3 deletions b/‎README.md‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎deploy/README.md‎
Lines changed: 11 additions & 7 deletions b/‎deploy/README.md‎
Lines changed: 11 additions & 7 deletions
diff --git a/‎deploy/citrix-k8s-node-controller.yaml‎
Lines changed: 5 additions & 3 deletions b/‎deploy/citrix-k8s-node-controller.yaml‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎deploy/configmap_tolerations.yaml‎
Lines changed: 11 additions & 0 deletions b/‎deploy/configmap_tolerations.yaml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎deploy/troubleshoot.md‎
Lines changed: 103 additions & 0 deletions b/‎deploy/troubleshoot.md‎
Lines changed: 103 additions & 0 deletions
diff --git a/‎images/k8s_deployments.png‎
-591 KB b/‎images/k8s_deployments.png‎
-591 KB
diff --git a/‎images/kube_cnc_router.png‎
142 KB b/‎images/kube_cnc_router.png‎
142 KB
diff --git a/‎images/router-cmap-data.png‎
178 KB b/‎images/router-cmap-data.png‎
178 KB
diff --git a/‎images/router-pod-log.png‎
205 KB b/‎images/router-pod-log.png‎
205 KB
diff --git a/‎images/worker-1.png‎
207 KB b/‎images/worker-1.png‎
207 KB
@@ -70,9 +70,15 @@ Refer the [deployment](deploy/README.md) page for running Citrix k8s node contro
 
 ## Supported CNIs
 
-- Flannel
-- Calico (only Encapsulated IPIP mode)
-- Cilium
+- flannel
+- calico 
+- cilium
+- weave
+- canal
+
+## TroubleShoot
+
+After deploying CNC, if services are in DOWN state, refer the [troubleshooting](deploy/troubleshoot.md) page
 
 ## Questions
 
 
@@ -2,7 +2,7 @@
 
   This topic provides information on how to deploy Citrix node controller on Kubernetes and establish the route between Citrix ADC and Kubernetes Nodes.
 
-**NOTE:** As part of configuration, some resources will be created in the "kube-system" namespace. Hence, Please make sure that "kube-system" namespace is configurable.
+Note: CNC creates "kube-cnc-router" in HOST mode on all the schedulable-nodes. These router pods create virtual network interface and program iptables accordingly on respective nodes where they are scheduled. These pods need to run with NET_ADMIN capability to achieve the same. Hence CNC serviceaccount must have NET_ADMIN privilege and ability to create HOST mode pods.
 
 Perform the following:
 
@@ -28,12 +28,13 @@ Perform the following:
 
     | Environment Variable | Mandatory or Optional | Description |
     | -------------------- | --------------------- | ----------- |
-    | NS_IP | Mandatory | Citrix k8s node controller uses this IP address to configure the Citrix ADC. The NS_IP can be anyone of the following: </br></br> - **NSIP** for standalone Citrix ADC </br>- **SNIP** for high availability deployments (Ensure that management access is enabled) </br> - **CLIP** for Cluster deployments |
+    | NS_IP | Mandatory | Citrix kubernetes node controller uses this IP address to configure the Citrix ADC. The NS_IP can be anyone of the following: </br></br> - **NSIP** for standalone Citrix ADC </br>- **SNIP** for high availability deployments (Ensure that management access is enabled) </br> - **CLIP** for Cluster deployments |
     | NS_USER and NS_PASSWORD | Mandatory | The user name and password of Citrix ADC. Citrix k8s node controller uses these credentials to authenticate with Citrix ADC. You can either provide the user name and password or Kubernetes secrets. If you want to use a non-default Citrix ADC user name and password, you can [create a system user account in Citrix ADC](https://developer-docs.citrix.com/projects/citrix-k8s-ingress-controller/en/latest/deploy/deploy-cic-yaml/#create-system-user-account-for-citrix-ingress-controller-in-citrix-adc). </br></br> The deployment file uses Kubernetes secrets, create a secret for the user name and password using the following command: </br></br> `kubectl create secret  generic nslogin --from-literal=username='nsroot' --from-literal=password='nsroot'` </br></br> **Note**: If you want to use a different secret name other than `nslogin`, ensure that you update the `name` field in the `citrix-node-controller` definition. |
     | NETWORK | Mandatory | The IP address range (for example, `192.128.1.0/24`) that Citrix node controller uses to configure the VTEP overlay end points on the Kubernetes nodes. </br></br> **Note:** Ensure that the subnet that you provide is different from your Kubernetes cluster.|
     | VNID | Mandatory | A unique VXLAN VNID to create a VXLAN overlay between Kubernetes cluster and the ingress devices. </br></br>**Note:** Ensure that the VXLAN VNID that you use does not conflict with the Kubernetes cluster or Citrix ADC VXLAN VNID. You can use the `show vxlan` command on your Citrix ADC to view the VXLAN VNID. For example: </br></br> `show vxlan` </br>`1) ID: 500       Port: 9090`</br>`Done` </br> </br>In this case, ensure that you do not use `500` as the VXLAN VNID.|
     | VXLAN_PORT | Mandatory | The VXLAN port that you want to use for the overlay. </br></br>**Note:** Ensure that the VXLAN PORT that you use does not conflict with the Kubernetes cluster or Citrix ADC VXLAN PORT. You can use the `show vxlan` command on your Citrix ADC to view the VXLAN PORT. For example: </br></br> `show vxlan` </br>`1) ID: 500       Port: 9090`</br>`Done` </br> </br>In this case, ensure that you do not use `9090` as the VXLAN PORT.|
     | REMOTE_VTEPIP | Mandatory | The Ingress Citrix ADC SNIP. This IP address is used to establish an overlay network between the Kubernetes clusters.|
+    | CNI_TYPE | Mandatory | The CNI used in kubernetes cluster. Valid values: flannel,calico,canal,weave,cilium|
     | DSR_IP_RANGE | Optional | This IP address range is used for DSR Iptable configuration on nodes. Both IP and subnet must be specified in format : "xx.xx.xx.xx/xx" |
 
 
@@ -62,14 +63,17 @@ The highlights in the screenshot show the VXLAN VNID, VXLAN PORT, SNIP, route, a
 
 Apart from "citrix-node-controller" deployment, some other resources are also created.
 
-- In "Kube-system" namespace:
+- In the namespace where CNC was deployed:
     - For each worker node, a "kube-cnc-router" pod.
     - A configmap "kube-cnc-router".
-    - A serviceaccount "kube-cnc-router"
-- A clusterrole "kube-cnc-router"
-- A clusterrolebinding "kube-cnc-router"
 
-![Verification](../images/k8s_deployments.png)
+<img src="../images/kube_cnc_router.png" width="600" height="300">
+
+On each of the worker nodes, a interface "cncvxlan<hash-of-namespace>" and iptables rule will get created.
+
+<img src="../images/worker-1.png" width="600" height="300">
+<img src="../images/worker-2.png" width="600" height="300">
+
 
 # Delete the Citrix K8s node controller 
 
 
@@ -72,14 +72,14 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: kube-cnc-router
-  namespace: kube-system
+  namespace: default
 apiVersion: rbac.authorization.k8s.io/v1
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: kube-cnc-router
-  namespace: kube-system
+  namespace: default
 
 ---
 apiVersion: apps/v1
@@ -99,7 +99,7 @@ spec:
       serviceAccountName: citrix-node-controller
       containers:
       - name: citrix-node-controller
-        image: "quay.io/citrix/citrix-k8s-node-controller:2.2.1"
+        image: "quay.io/citrix/citrix-k8s-node-controller:2.2.2"
         imagePullPolicy: Always
         env:
         - name: NS_IP
@@ -122,3 +122,5 @@ spec:
           value: "3267"
         - name: VNID
           value: "300"
+        - name: CNI_TYPE
+          value: "xxxx"
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: citrix-node-controller
+data:
+  key: "xxx"
+  operator: "xxx"
+  value: "xxx"
+  effect: "xxx"
+  tolerationseconds: "xxx"
@@ -0,0 +1,103 @@
+# CNC troubleshooting
+
+This document explains how to troubleshoot issues that you may encounter while using the Citrix Kubernetes node controller (CNC). Using this document, you can collect logs to determine the causes and apply workarounds for some of the common issues related to the configuration of the CNC
+
+To validate Citrix ADC and the basic node configurations, refer to the image on the [deployment](README.md) page.
+
+### Service status DOWN
+
+To debug the issues when the service is in down state,
+
+1. Verify the logs of the CNC pod using the following command::
+
+   ```
+   kubectl logs <cnc-pod> -n <namespace>
+   ```
+
+   Check for any 'permission' errors in the logs. CNC creates kube-cnc-router pods which require                 NET_ADMIN privilege to perform the configurations on nodes. So, the CNC service account must have the         NET_ADMIN privilege and the ability to create host mode kube-cnc-routerpods.
+
+2. Verify the logs of the kube-cnc-router pod using the following command:
+
+   ```
+   kubectl logs <kube-cnc-pod> -n <namespace>
+   ```
+
+   Check for any error in the node configuration. The following is a sample typical router pod log:
+
+   <img src="../images/router-pod-log.png" width="600" height="300">
+
+3. Verify the kube-cnc-router configmap output using the following command:
+
+   ```
+   kubectl get configmaps -n <namespace> kube-cnc-router -o yaml
+   ```
+   Check for empty field in the data section of the configmap. The following is a sample typical two node        data section:
+
+   <img src="../images/router-cmap-data.png" width="600" height="300">
+
+4. Verify the node configuration and make sure the following:
+   - CNC interface cncvxlan<md5_of_namespace> should be created.
+       - Assigned VTEP IP address should be the same as the corresponding router gateway entry in Citrix ADC.
+       - Status of interface should be functioning.
+   - iptable rule port should be created.
+       - Port should be the same that of VXLAN created on Citrix ADC.
+       
+   <img src="../images/worker-1.png" width="600" height="300">
+
+
+### If the service status is up and operational, but the ping from Citrix ADC is not working
+
+If you are not able to ping the service IP address from Citrix ADC even though the services are in operational state. One reason may be the presence of a PBR entry which directs the packets from Citrix ADC with SRCIP as NSIP to the default gateway.
+
+It does not impact any functionality. You can use the VTEP of Citrix ADC as source IP address using the -S option of ping command in the Citrix ADC command line interface. For example:
+
+   ```
+   ping <serviceIP> -S <vtepIP>
+   ```
+Note: If it is necessary to ping with NSIP itself, then, you must remove the PBR entry or add a new PBR entry for the endpoint with high priority.
+
+### cURL to the pod endpoint or VIP is not working
+
+Though, services are in up state, still you cannot cURL to the pod endpoint, that means, the stateful TCP session to the endpoint is failing. One reason may be the ns mode 'MBF' is set to enable. This issue depends upon deployments and might occur only on certain versions of Citrix ADC.
+To resolve this issue, you should disable MBF ns mode or bind a netprofilewith the netprofile disabled to the servicegroup.
+Note: If disabling the MBF resolves the issue, then it should be kept disabled.
+
+## Customer support
+
+For general support, when you raise issues, provide the following details which help for faster debugging.
+cURL or ping from Citrix ADC to the endpoint and get the details for the following:
+
+For the node, provide the details for the following commands:
+
+1. tcpdump capture on CNC interface on nodes
+   ```
+   tcpdump -i cncvxlan<hash_of_namesapce> -w cncvxlan.pcap
+   ```
+2. tcpdump capture on node Mgmt interface lets say "eth0"
+   ```
+   tcpdump -i eth0 -w mgmt.pcap
+   ```
+3. tcpdump capture on CNI interface lets say "vxlan.calico"
+   ```
+   tcpdump -i vxlan.calico -w cni.pcap
+   ```
+4. output of "ifconfig -a" on the node.
+5. output of "iptables -L" on the node.
+
+
+For ADC, provide the details for the following show commands:
+1. show ip
+2. show vxlan <vxlan_id>
+3. show route
+4. show arp
+5. show bridgetable
+6. show ns pbrs
+7. show ns bridgetable
+8. show ns mode
+9. Try and capture nstrace while ping/curl:
+   ```
+   start nstrace -size 0 -mode rx new_rx txb tx -capsslkeys enABLED
+   ```
+   ```
+   stop nstrace
+   ```