kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: cpx-ingress-k8s-role rules: - apiGroups: [""] resources: ["endpoints", "ingresses", "pods", "secrets", "nodes", "routes", "namespaces", "configmaps"] verbs: ["get", "list", "watch"] # services/status is needed to update the loadbalancer IP in service status for integrating # service of type LoadBalancer with external-dns - apiGroups: [""] resources: ["services/status"] verbs: ["patch"] - apiGroups: [""] resources: ["services"] verbs: ["get", "list", "watch", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["create"] - apiGroups: ["extensions"] resources: ["ingresses", "ingresses/status"] verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch"] - apiGroups: ["citrix.com"] resources: ["rewritepolicies", "canarycrds", "authpolicies", "ratelimits", "listeners", "httproutes"] verbs: ["get", "list", "watch"] - apiGroups: ["citrix.com"] resources: ["rewritepolicies/status", "canarycrds/status", "ratelimits/status", "authpolicies/status", "listeners/status", "httproutes/status"] verbs: ["get", "list", "patch"] - apiGroups: ["citrix.com"] resources: ["vips"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: ["route.openshift.io"] resources: ["routes"] verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: cpx-ingress-k8s-role roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cpx-ingress-k8s-role subjects: - kind: ServiceAccount name: cpx-ingress-k8s-role namespace: default apiVersion: rbac.authorization.k8s.io/v1 --- apiVersion: v1 kind: ServiceAccount metadata: name: cpx-ingress-k8s-role namespace: default --- apiVersion: v1 kind: Secret metadata: name: nslogin namespace: default type: Opaque data: password: bnNyb290 username: bnNyb290 --- apiVersion: apps/v1 kind: Deployment metadata: name: cpx-ingress spec: selector: matchLabels: app: cpx-ingress replicas: 1 template: metadata: name: cpx-ingress labels: app: cpx-ingress annotations: spec: serviceAccountName: cpx-ingress-k8s-role containers: - name: cpx-ingress image: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-58.30" securityContext: privileged: true env: - name: "EULA" value: "yes" - name: "KUBERNETES_TASK_ID" value: "" ports: - name: http containerPort: 80 - name: https containerPort: 443 - name: nitro-http containerPort: 9080 - name: nitro-https containerPort: 9443 #This is required for Health check to succeed readinessProbe: tcpSocket: port: 9080 initialDelaySeconds: 60 periodSeconds: 5 failureThreshold: 5 successThreshold: 1 imagePullPolicy: Always volumeMounts: - mountPath: /cpx/conf/ name: cpx-volume1 - mountPath: /cpx/crash/ name: cpx-volume2 # Add cic as a sidecar - name: cic image: "quay.io/citrix/citrix-k8s-ingress-controller:1.9.9" env: - name: "EULA" value: "yes" - name: "NS_IP" value: "127.0.0.1" - name: "NS_PROTOCOL" value: "HTTP" - name: "NS_PORT" value: "80" - name: "NS_DEPLOYMENT_MODE" value: "SIDECAR" - name: "NS_ENABLE_MONITORING" value: "YES" - name: "NS_USER" valueFrom: secretKeyRef: name: nslogin key: username - name: "NS_PASSWORD" valueFrom: secretKeyRef: name: nslogin key: password - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace imagePullPolicy: Always volumes: - name: cpx-volume1 emptyDir: {} - name: cpx-volume2 emptyDir: {} --- apiVersion: v1 kind: Service metadata: name: cpx-service labels: app: cpx-service spec: type: LoadBalancer ports: - port: 80 protocol: TCP name: http - port: 443 protocol: TCP name: https selector: app: cpx-ingress