Production-Grade Ingress Solution Using Citrix and Rancher

Introduction

This post outlines how to build a production-grade ingress solution using Citrix ADC on Rancher. Customers can confidently expose end user traffic to microservices or legacy workloads on Kubernetes clusters on Rancher using this solution.

About ADC & Citrix ADC

Citrix ADC (formerly known as NetScaler) has been a market leader for over 15 years in the Application Delivery Controller (ADC) market, helping organizations manage their hyper scale web traffic. An ADC comprises of advanced load balancing, TLS termination, reverse proxying, L3-L7 protocol optimizations, and redundancy solutions to deliver high performance applications. Citrix ADC provides these benefits for on-premise, public and private clouds deployments. It is available in several different form factors – containerized (CPX), virtualized (VPX), hardware (MPX, SDX), and the recently launched bare-metal (BLX). The CPX in particular is a high performance, low footprint, cloud native service and edge proxy that can run inside Kubernetes clusters such as those managed by Rancher.

For applications deployed in Kubernetes, Citrix ADC offers following solutions:

1. Architectural flexibility to use the same solution within and outside of Kubernetes clusters: The Citrix Ingress Controller manages ingress for different teams often separated by namespaces. The controller can manage Citrix ADC CPX, and Citrix ADC MPX/VPX/BLX in isolation or in combination. As an ingress device, the CPX serves as an edge proxy implementing HTTP L7 policies (routing, TLS, circuit breaking, load balancing) and provides deep visibility into ingress traffic.. Customers that prefer to use hardware/virtualized load balancers outside the Kubernetes cluster can use the Citrix ADC MPX/VPX/SDX with the Citrix Ingress Controller either as a single tier solution or in combination with the CPX. The hardware/virtualized form factors offer high performance TLS offload on dedicated hardware chips and additional multi-tenancy features.
2. Better developer experience: Citrix Ingress Controller configures Citrix ADC according to the ingress rules specified in K8s cluster. It is a feature rich controller that takes a CRD first approach rather than relying on annotations. CRDs (CustomResourceDefinitions) enable developers to easily manage production traffic policies without having to become a Citrix ADC expert. The controller translates the CRD desired state into a Citrix ADC configuration. Here are some Rewrite & Responder CRD examples to fulfill common HTTP request/response rewrite use cases.
3. Ingress for legacy & new applications: Citrix ADC can manage end user traffic for new age cloud native apps or legacy apps in Kubernetes cluster. The ingress solution works at scale for TCP/UDP based apps (databases such as MongoDB and MySQL, message buses such as Kafka, caches such as Redis and Memcache, or other legacy apps based on RPC/SOAP) in addition to HTTP/S web applications.
4. Cost savings through multi-tenancy: Using admin partitions and multiple ingress classes, you can create logical separation for different teams on the same Citrix ADC instance. This is useful in production applications where you would want to maximize utilization of Kubernetes cluster resources across multiple teams.
5. Troubleshooting of microservices using service graph: Troubleshooting is one of the biggest pain points in production microservices because each end user request is served by several microservices. Citrix ADM’s service graph provides visibility into interactions between microservices (including the golden signals – latency, volume, and errors) to identify and remediate problems based on metrics such as latency, HTTP errors, etc.
6. Better continuous deployment practices: With support for flexible canary policies, the Citrix ADC can help move code into production faster than before. Metrics from the Citrix ADC can be used to judge the success of a canary or blue-green deploy with a tool like Spinnaker’s Kayenta plugin – and then automate the promotion of canary to full traffic.
7. Deep visibility into ingress traffic with cloud native stacks: Citrix ADC exports counters, metrics, logs, traces to popular open source tools such as Prometheus, Grafana, EFK (Elasticsearch, Fluentd, Kibana), Zipkin, OpenTracing, and more. Citrix ADC can fit in the cloud native stack of your choice on Rancher platform.
8. Turbocharge SREs with Citrix ADM AIOps: In addition to the Service Graph, Citrix ADM provides advanced analytics on metrics and transaction logs collected from Citrix ADC. Machine learning and statistical models provide anomaly detection and help SREs pro-actively manage availability, performance, and security of the Kubernetes cluster.

How to Use Citrix ADC as an Ingress Solution on Rancher

The following steps show how to deploy Citrix ADC on Rancher to do ingress for a simple guestbook application (PHP application with Redis). Citrix ADC CPX works as an ingress to route end user traffic to the guestbook applications hosted on the Rancher-managed Kubernetes cluster. The diagram below shows the topology of this sample application:

First, deploy Rancher via the quick start guidelines. Once Rancher is up and running, create or import a 3 node Kubernetes cluster within Rancher. This is the default landing page:

Next, on the Workloads tab, click the Import YAML button and paste or upload the deployment from the guestbook-all-in-one.yaml file:

You will be able to see the 3 deployments as shown below, namely — frontend, redis-master, and redis-slave:

Now, we’ll deploy Citrix Ingress Controller. Go to default namespace dashboard, and click on Launch kubectl:

Copy the YAML code from GitHub docs of Citrix Ingress Controller to deploy CPX as a pod on Kubernetes cluster as cpx.yaml.

Apply cpx.yaml on the Kubernetes cluster, and verify that the CPX Pod is running:

You’ll see the same application on Workloads tab:

Next, go to the Load Balancing tab:

Import the ingress.yaml file, with the following code. These are your ingress rules:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: guestbook-ingress
  annotations:
   kubernetes.io/ingress.class: "citrix"
spec:
  rules:
  - host:  www.guestbook.com
    http:
      paths:
      - path: /
        backend:
          serviceName: frontend
          servicePort: 80

If you click on the Load Balancing tab, it should show the guestbook-ingress running as the ingress:

If you’d like, you can login to the CPX pod to see the LB vserver configuration (this is the load balancing server running in Citrix ADC):

In your local system’s host file, configure “www.guestbook.com” to point to the IP address of Kubernetes master node. Visit “www.guestbook.com:5555” in your browser (or use curl) to see the PHP-based guestbook app up and running. You can enter any message and it will get saved in the Redis cluster running on Rancher managed Kubernetes:

You can also see various pods running (Ingress Controller, frontend, redis apps):

Learn more about Citrix ADC

Here are some useful resources to get started with Citrix ADC’s Ingress solution:

• Citrix Ingress Controller on Github
• Developer documentation for Citrix Ingress Controller
• Reference examples to get started with Citrix’s Ingress solutions
• Blog about Citrix’s Ingress solutions
• Trial version of Citrix ADM
• Trial version Citrix ADC CPX

Soon, we’ll be announcing some exciting news about Citrix’s support for Istio service mesh and integration with several cloud native solutions for logging, monitoring, tracing, and CICD, in addition to Rancher. Stay connected with Citrix Networking on Twitter.

Diving Deep into Kubernetes Networking

Networking is a critical component for the success of a Kubernetes implementation. Read the free ebook Diving Deep into Kubernetes Networking to learn about Kubernetes networking from basics to advanced topics for operators and developers alike.