kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: citrix rules: - apiGroups: [""] resources: ["endpoints", "ingresses", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] verbs: ["get", "list", "watch"] # services/status is needed to update the loadbalancer IP in service status for integrating # service of type LoadBalancer with external-dns - apiGroups: [""] resources: ["services/status"] verbs: ["patch"] - apiGroups: [""] resources: ["events"] verbs: ["create"] - apiGroups: ["extensions"] resources: ["ingresses", "ingresses/status"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingresses/status", "ingressclasses"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch"] - apiGroups: ["citrix.com"] resources: ["rewritepolicies", "authpolicies", "ratelimits", "listeners", "httproutes", "continuousdeployments", "apigatewaypolicies", "wafs", "bots", "corspolicies"] verbs: ["get", "list", "watch", "create", "delete", "patch"] - apiGroups: ["citrix.com"] resources: ["rewritepolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status"] verbs: ["get", "list", "patch"] - apiGroups: ["citrix.com"] resources: ["vips"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: ["crd.projectcalico.org"] resources: ["ipamblocks"] verbs: ["get", "list", "watch"] - apiGroups: ["route.openshift.io"] resources: ["routes"] verbs: ["get", "list", "watch"] - apiGroups: ["config.openshift.io"] resources: ["networks"] verbs: ["get", "list"] - apiGroups: ["network.openshift.io"] resources: ["hostsubnets"] verbs: ["get", "list", "watch"] - apiGroups: ["crd.projectcalico.org"] resources: ["ipamblocks"] verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: citrix roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: citrix subjects: - kind: ServiceAccount name: citrix namespace: default --- apiVersion: v1 kind: ServiceAccount metadata: name: citrix namespace: default --- apiVersion: apps.openshift.io/v1 kind: DeploymentConfig metadata: name: cic spec: replicas: 1 selector: router: cic strategy: resources: {} rollingParams: intervalSeconds: 1 maxSurge: 0 maxUnavailable: 25% timeoutSeconds: 600 updatePeriodSeconds: 1 type: Rolling template: metadata: name: cic labels: router: cic spec: serviceAccount: citrix containers: - name: cic image: "quay.io/netscaler/netscaler-k8s-ingress-controller:1.41.5" securityContext: privileged: true env: - name: "EULA" value: "yes" # Set NetScaler NSIP/SNIP, SNIP in case of HA (mgmt has to be enabled) - name: "NS_IP" value: "X.X.X.X" # Set NetScaler VIP that receives the traffic - name: "NS_VIP" value: "X.X.X.X" # Set username for Nitro - name: "NS_USER" valueFrom: secretKeyRef: name: nslogin key: username # Set user password for Nitro - name: "NS_PASSWORD" valueFrom: secretKeyRef: name: nslogin key: password - name: "LOGLEVEL" value: "INFO" args: - --default-ssl-certificate default/default-cert - --feature-node-watch true imagePullPolicy: IfNotPresent