Helm chart release notes for Citrix Ingress Controller version 1.33.4

This release note contains information about the Helm chart-related changes for the Citrix ingress controller version 1.33.4

Enhancements

Support for increased prefix length

When you specify the prefix name for NetScaler entities for applications, the prefix name length is enhanced from 7 to 15. When you upgrade Citrix ingress controller to a new version and change the prefix name to a larger value, old entities are not renamed and all entities are newly created. To avoid any stale configuration with the old prefix, you can either delete the ingress and reapply after the upgrade or delete the stale configuration with older prefixes manually from NetScaler.

Support for HTTP PATCH method

PATCH is an HTTP method for changing or adding data to existing resources. Now, the PATCH HTTP method is supported with authentication, authorization, rate limit, BOT, and WAF policy CRDs.

Helm chart release notes for Citrix Ingress Controller version 1.32.7

This release note contains information about the Helm chart-related changes for the Citrix ingress controller version 1.32.7.

What's new

NetScaler provides a kubectl plug-in netscaler-k8s to inspect ingress controller deployments and aids in troubleshooting operations.
You can inspect NetScaler configuration and related Kubernetes components using the subcommands available with this plug-in.

Fixed issues

• If an Ingress resource refers to the Listener resource, content-switching policies were getting disassociated from the content-switching virtual server after the Citrix ingress controller restart. This issue is fixed now.
• There was an erroneous entry for device_fingerprint in the BOT CRD definition due to which BOT CRDs were not getting applied. This issue is fixed now.

Enhancements

• Citrix ingress controller now supports multiple response codes in the GTP CRD. Earlier only one response code was allowed in the GTP CRD.
• Citrix ingress controller deployed with the scope namespace is now enhanced to process CRDs in the local namespace. Earlier, it was only supporting Ingress resources.

Known issues

• Bot CRD definition is updated in this release. If Bot CRD has been installed using Helm chart, Helm upgrade to this release won't work. You will have to delete and reinstall the Helm chart in this case.

Helm chart release notes for ADM Agent Onboarding version 1.1.0

This release note contains information about the Helm chart-related changes for the ADM agent onboarding version 1.1.0.

What's new

 This release of the ADM agent onboarding enables you to provide the name of the Kubernetes cluster that needs to be registered with the ADM service. You can also provide the Kubernetes API URL that should be registered in the ADM service. This enhancement simplifies the user experience while registering multiple Kubernetes clusters in the ADM service.

The following parameters are added to the Helm chart as part of this enhancement:

-  apiURL :  Provides the Kubernetes API URL in the https://<host>:port format.

-  clusterName: Specifies the Kubernetes cluster name to be registered in the ADM servi

Helm chart release notes for Citrix ingress controller version 1.31.3

Fixed issues

In this release, Citrix ingress controller is enhanced to handle large-scale services in an improved and optimized approach.

Helm chart release notes for Citrix ADC Observability Exporter 1.5.001

Helm chart release notes for Citrix ADC Observability Exporter 1.5.001

This release note contains information about the Helm chart-related changes for the Citrix ingress controller version 1.5.001

Enhancements

• Added rate-limiting support for transactions in JSON-based endpoints: ElasticSearch, Splunk, and Zipkin. The following parameters are added to the Helm chart for rate-limiting support:
  • json_trans_rate_limiting.enabled
  • json_trans_rate_limiting.limit
  • json_trans_rate_limiting.queuelimit
  • json_trans_rate_limiting.window
    For more information, see rate limiting support for transactions in ElasticSearch, Splunk, and Zipkin.
• You can now run Citrix ADC Observability Exporter as a non-root user named coe_guest with the user-id as 1000 and the group-id as 1000.

Helm chart release notes for Citrix ingress controller v1.30.1

This release note contains information about the Helm chart-related changes for the Citrix ingress controller version 1.30.1.

Fixed issues

• Earlier, Citrix ingress controller was not binding the policies created for the CORS CRD to the load-balancing virtual server. This issue is now fixed.
• After the Citrix ingress controller reboot, certain entities related to the HTTPRoute were reapplied. This issue is now fixed.
• Citrix ingress controller was skipping service modification events when POD_IPS_FOR_SERVICEGROUP_MEMBERS is enabled for a service of type LoadBalancer. This issue is fixed now.
• While choosing the default certificate, Citrix ingress controller was selecting the certificate in the application namespace instead of the certificate in the namespace provided with the default SSL parameter. Now, Citrix ingress controller selects the certificate in the namespace provided with the default SSL parameter.
• For services of type LoadBalancer, Citrix ingress controller was binding certificates as non-server name indication (SNI) type in the SSL virtual server irrespective of whether SNI is enabled in the SSL profile or not. With this fix, if SNI is enabled in the SSL profile annotation for services of type LoadBalancer, then the certificates get bind as SNI in the SSL virtual server. If SNI is not enabled, certificates are bound as the non-SNI type.
• In the rewrite and responder policy, when the values in two key-value pairs of a string map are identical Citrix ingress controller was considering only one of the key-value pair configurations while applying the policy on the Citrix ADC. This issue is now fixed.
• When the timeslice field was missing in the Rate limit CRD, application configuration was failing on the Citrix ADC appliance. This issue is fixed now.
• Earlier four HTTP methods namely GET, PUT, POST, and DELETE were supported in authentication, authorization, rate limit, BOT, and WAF policies. Citrix ingress controller now supports four additional HTTP methods, HEAD, OPTIONS, TRACE, and CONNECT with these policies

Helm chart release notes for Citrix ingress controller v1.29.5

This release note contains information about the Helm chart-related changes for the Citrix ingress controller version 1.29.5.

What’s new

Fixed issues

• If an ingress has an empty TLS section, Citrix ingress controller was configuring CS virtual server as SSL type by default. Now, Citrix ingress controller creates an SSL virtual server only if a default certificate is provided.
• CS virtual server creation was failing for the Ingress resource, when an application is exposed with ANY as protocol and port as * in the Ingress resource. This issue is now fixed.
• Citrix ingress controller was not fully provisioning the SSL profile after the Citrix ADC CPX restart. This issue is fixed now.

Enhancements

The following new parameters are introduced in the Helm chart:

• profileSslFrontend: Specify this parameter to set the front-end SSL profile.
• profileTcpFrontend: Specify this parameter to set the front-end TCP profile.
• profileHttpFrontend: Specify this parameter to set the front-end HTTP profile
  Using the respective parameter, you can enable or disable SSL, TCP, and HTTP features for multiple Ingresses that shares a common front-end IP address.

Helm chart release notes for Citrix ingress controller v1.28.2

This release note contains information about the Helm chart related changes for the Citrix ingress controller version 1.28.2.

Enhancements

• Updated CPX version to 13.1-37.38 in Citrix Netscaler CPX with CIC helm chart

Deploying Citrix ingress controller with minimal privileges

• A new parameter rbacRole is introduced in the Helm chart to enable you to deploy Citrix ingress controller with minimal privileges for a particular namespace with Role binding. You can set this parameter to true to deploy Citrix ingress controller with Role binding. By default, Citrix ingress controller gets installed with ClusterRole binding and this parameter is set as false.

Fixed issues

• When Citrix IPAM controller is already configured and Citrix ingress controller is provided with NS_VIP and NS_SVC_LB_DNS_REC DNS records were getting created spuriously even for virtual IP addresses assigned using NS_VIP. This behavior was occurring for services of type LoadBalancer. Now, DNS address records are added on Citrix ADC only for the IP addresses assigned by Citrix IPAM controller.

Helm Chart release notes for Citrix CPX Istio Sidecar Injector v1.14.1

Helm Chart Release Notes for Citrix CPX Istio Sidecar Injector v1.14.1

This release note contains information about the Helm chart related changes for the Citrix CPX Istio Sidecar Injector v1.14.1.

What’s new

New mutatingwebhook for NetScaler CPX Sidecar Injector

A new mutatingwebhook configuration is added in the CPX sidecar injector deployment. The mutatingwebhookconfig object.cpx-sidecar-injector.citrix.io ensures that the NetScaler CPX would be injected as a sidecar proxy in the application pod if it is labeled with sidecar.citrix.io/inject. The injection will happen even if the namespace is not labelled with cpx-injection=enabled.

Change of names of the mutatingwebhookconfigurations

The mutatingwebhook sidecar-injector.istio.io has been renamed as cpx-sidecar-injector.citrix.io. This webhook is responsible to inject NetScaler CPX as a sidecar proxy in the pod based on the namespace label.

Helm chart release notes for Citrix ingress controller v1.27.15

This release note contains information about the Helm chart related changes for the Citrix ingress controller version 1.27.15.

What's new

Configuring wildcard DNS domains through Citrix ingress controller

Wildcard DNS domains are used to handle requests for non-existent domains and subdomains. Now, Citrix ingress controller supports configuring wildcard DNS domains on a Citrix ADC. A new CRD wildcarddnsentry is introduced to support wildcard DNS domains.

For more information, see Configuring wildcard DNS domains through Citrix ingress controller.

Open policy agent support for Kubernetes with Citrix ADC

Open policy agent (OPA) is an open source, general-purpose policy engine that unifies policy enforcement across different technologies and systems. Now, Citrix ingress controller supports OPA through the HTTP callout.

For more information, see Open policy agent support for Kubernetes with Citrix ADC.

Fixed issues

• When distributed tracing is enabled for service mesh lite deployments, the service parameter was mandatory in the analytics configuration ConfigMap. If the service parameter is missing, distributed tracing was not working. This issue is fixed now.

• Canary header values at Citrix ADC are not updated, when the existing ingress is updated with new Canary header values using the Ingress annotation. This issue is fixed now.

• For service mesh lite deployments, service group members were not binding earlier. This issue is fixed now.

• During Citrix ingress controller boot up pre-validation checks, tracebacks were happening while checking connection with Citrix ADC. This issue is fixed now.

• Bot management policies were not getting configured on Citrix ADC VPX version 13.0 with the latest Citrix ingress controller versions. This issue is fixed now.

Enhancements

• A new parameter optimizeEndpointBinding is introduced in the Helm chart to enable or disable binding of back-end endpoints to a service group in a single API call. Acceptable values are True and False. Enabling this parameter is recommended when there are large number of endpoints (pods) per application. This enhancement is applicable only for Citrix ADC release 13.0–45.7 and higher versions.