Release 1.16.9

Version 1.16.9

What's New

SIP UDP support

Now, session initiation protocol over UDP (SIP UDP) is supported as layer 4 load balancing protocol for ingress with the ingress.citrix.com/insecure-service-type annotation and for service of type LoadBalancer with the service.citrix.com/service-type annotation.

For more information, see the Annotation documentation.

Fixed issues

• While upgrading Citrix ingress controller from versions prior to 1.15.12, some of the already bound certificate keys were getting deleted. Now, this issue is fixed.

• Sometimes, already bound CRDs were unbounded when Citrix ingress controller is restarted. This issue is fixed now.

• When Citrix ingress controller is started with the IPAM controller argument but IPAM controller was not running and the ingress was modified, then Citrix ingress controller may fail. This issue is fixed now.

Release 1.15.12

Version 1.15.12

Fixed issues

• Errors while applying rewrite CRD was causing a loop because Citrix ingress controller was not tracking generation for failed events. Even for failed resources, Citrix ingress controller was sending status updates to the CRD which resulted in a loop. This issue is fixed now.

• When multiple Citrix ingress controllers are deployed with different ingresses or service classes in the cluster, VIP CRD instances were created and deleted in a loop. This issue is fixed now.

• Any addition or deletion of secrets was triggering reconfiguration of all ingresses of the same frontend-ip and flooding of messages. This issue is fixed now.

• Ingress status was not getting updated in Citrix ADC CPX deployment for BGP. This issue is fixed.

• The default configuration of the SSL termination annotation service.citrix.com/ssl-termination-<index> was not working. This issue is fixed now.

• Exceptions were not handled properly while deleting profiles. Now, exceptions are handled properly.

• Now, WAF CRD raises a warning when the IP reputation feature is used along with WAF in deployments where Citrix ingress controller is deployed along with Citrix ADC CPX. The IP reputation feature is not supported in Citrix ADC CPX.

• Earlier, the SSL certificate key mentioned in OpenShift routes were present in Citrix ingress controller logs. Now, it is fixed.

• Inconsistent naming of load balancing virtual server entities created for OpenShift routes is now fixed.

• If an ingress resource has http.paths specified, but a service back-end is not specified it resulted in an exception. This issue is fixed now.

• If an ingress is deleted, all other ingresses of the same front-end IP address try to reconcile the certificates with the Citrix ADC. If there is any failure in certificate addition, it was resulting in flooding of messages. This issue is fixed now.

• If an ingress with multiple rules with different paths has the same service back-end which is also same as the default back-end, it results in incorrect priority while binding the content switching policy in Citrix ADC. This issue is fixed now.

Enhancements

• Ingress resource version is now stored at the load balancing virtual server level. With this enhancement, when Citrix ingress controller restarts only ingresses which got modified are reconfigured. Earlier, this information was maintained at the content switching virtual server level and any change for any ingress under the content switching virtual server used to cause reconfiguration for all ingresses.

  Note: During the first upgrade, the resource-version information is not available and this optimization does not help.

• When Citrix ingress controller restarts, it detects ingresses which are modified after the last restart and only reconfigures those ingresses by deleting and adding them one by one. Earlier, all ingresses were deleted at once and then recreated later, resulting in longer downtime.

• Priority calculation for content switching policies is now optimized by introducing a cache in Citrix ingress controller.

• To track the synchronization time, meaningful logs are added.

• Earlier, Citrix ingress controller would process the ingress even if only the status field is changed. Now, Citrix ingress controller does not configure the ingress if only the status field is changed.

• Now, Citrix ingress controller identifies whether the default SSL profile is enabled on the Citrix ADC during bootup time and uses that information to enable the SNIenable field for SNI certificates. In case the default profile is enabled, Citrix ingress controller uses the SSL profile to enable the SNI. Otherwise, the SSL virtual server is used to enable SNI.

  Note: In case the default SSL profile is enabled after Citrix ingress controller is started, Citrix ingress controller needs to be rebooted for the correct SSL configuration.

• When Citrix CPX is used as sidecar, now the default SSL profile is enabled by default. With this enhancement, Citrix ADC CPX can support advanced SSL features such as TLS1.3 using SSL profiles.

Release 1.14.17

Version 1.14.17

What's New

Advanced content routing for Ingress using the HTTPRoute CRD

Now, Citrix supports configuring the HTTP route CRD resource as a resource backend in Ingress. By default, Ingress supports only limited content routing capabilities like path and host based routing. Using this feature, you can extend advanced content routing capabilities to Ingress and perform content switching based on query parameters, cookies, HTTP headers, and other Citrix ADC custom expressions.

For more information, see the Advanced content routing for Ingress using the HTTPRoute CRD documentation.

IP address management using the Citrix IPAM controller for Ingress resources

For service of type LoadBalancer, you can automatically allocate IP addresses to services from a specified IP address range using the IPAM controller. Now, this functionality is extended to ingress resources as well. When the virtual IP address (VIP) is not specified for an Ingress resource and the IPAM controller is enabled, it allocates an IP address for the ingress resource from a specified range. The Citrix ingress controller configures the allocated IP address as a VIP in Citrix ADC MPX or VPX.
For more information, see the IP address management using the Citrix IPAM controller for Ingress resources documentation.

Authentication support with the content routing CRD

Authentication support is now extended with content routing CRD, where content routing CRDs are supported for configuring advance policies.
For more information, see the Auth CRD documentation.

IPSET support

An IPSET is a set of IP addresses, which are configured on the Citrix ADC appliance as Subnet IP addresses (SNIPs) or VIPs. Now, you can specify the name of the IPSET while configuring the content switching virtual server on a Citrix ADC using the Citrix ingress controller.

For more information, see the Annotation documentation.

Profile support for the Listener CRD

For HTTP, TCP, or SSL protocols, you can group a set of configurations specific to a protocol as a profile and apply it on the Citrix ADC. Now, HTTP, TCP, and SSL profiles are supported for the Listener CRD. The Listener CRD also supports the analytics profile which enables to export the transaction data to Citrix observability exporter.
For more information, see the Profile support for the Listener CRD documentation.

Fixed issues

• After a reboot of the Citrix ingress controller on the OpenShift platform, Citrix ADC entities like the content switching virtual server were deleted and re-created on the Citrix ADC. This issue is now fixed.

• While enabling some features in Citrix ADC, it may throw a NITRO exception with the error code 1097. This issue is fixed.

• Ingress with the version networking.k8s.io/v1 was not getting configured in the Amazon EKS cluster. This issue is fixed.

• While adding the Citrix observability exporter server, Citrix ADC may throw a NITRO exception with the error code 1335. This issue is fixed.

• While adding the Citrix ingress controller string map, Citrix ADC was throwing a NITRO exception due to the presence of "-" in the Kubernetes namespace. This issue is fixed in this release.

Known issues

A stand-alone Citrix ingress controller for configuring Citrix ADC VPX or MPX raises an exception when an ingress resource it supports has neither the frontend-ip annotation nor an ipam-range annotation. This issue has no functionality impact.

Release 1.13.20

Version 1.13.20

What's New

OpenID Connect

OpenID Connect (OIDC) is a simple identity layer on the top of the OAuth 2.0 protocol. Using the OIDC feature, clients can verify the identity of the end-user based on the authentication performed by an authorization server. You can also obtain the basic profile information about the end-user using this feature.
Now, the Auth CRD supports OIDC. For more information, see the Auth CRD documentation.

Ingress name attribute support in form based authentication

The Auth CRD supports form based authentication. In the form based authentication, the Ingress_name attribute is now supported. Using this attribute, you can specify the name of the Ingress for which you want to apply the form based authentication.
For more information, see the Auth CRD documentation.

Enhancements

With this enhancement, the GSE CRD is auto generated for an Ingress object if the service within the Ingress is referred in the GTP CRD instance and the status-loadbalancer-ip/hostname field is already populated. Earlier, the auto generation of the GSE CRD was supported only for a service of type LoadBalancer. For more information, see the Multi-cluster ingress and load balancing documentation.

Helm chart specific changes

For Helm chart specific changes, see the Helm chart release notes.

Release 1.13.15

Version 1.13.15

What's New

Policy based routing

When you are using a single Citrix ADC to load balance multiple Kubernetes clusters, the Citrix ingress controller adds static routes to establish connectivity between Citrix ADC and Kubernetes pods. However, when the pod CIDRs overlap there may be route conflicts. Using policy based routing you can route packets based on a specified criteria and avoid such route conflicts.

For more information, see the policy based routing documentation.

Simple canary with Ingress annotations

Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. Canary deployment is already supported using the Canary CRD. Now, Citrix also provides a simpler option for canary deployment using Ingress annotations. For more information, see the simple canary with Ingress annotations documentation.

Call Home enablement for the Citrix Ingress controller in Citrix ADC

The Call Home feature gathers information about the performance of a product and uploads them to a Citrix server which helps Citrix to diagnose issues and resolve them. Now, the Call Home feature available on Citrix ADC can be enabled for the Citrix ingress controller deployments. For more information, see the Call Home enablement for the Citrix ingress controller documentation.

Support for HTTP and HTTPs URL sources for OAS documents

Earlier, only Open API Specification (OAS) documents hosted in Git repositories were supported by the API Gateway CRD. Now, API Gateway CRD can also fetch OpenAPI Specification (OAS) documents from non-Git sources such as HTTP or HTTPs URLs. For more information, see Deploy API gateway using GitOps.

Ingress V1 enhancements and IngressClass support

With the Kubernetes version 1.19, the Ingress resource is generally available. As a part of this change, a new resource named as IngressClass is added to the ingress API. Using this resource, you can associate Ingress resources to specific Ingress controllers. Now, the Citrix ingress controller supports Ingress V1 enhancements and the IngressClass resource.

For more information, see the Ingress class support documentation.

Enhancements

The following environment variables are added in this release to the Citrix ingress controller:

• POD_IPS_FOR_SERVICEGROUP_MEMBERS: By default while configuring services of type LoadBalancer and NodePort on an external tier-1 Citrix ADC, the Citrix ingress controller adds NodeIP and NodePort as service group members. If this variable is set as True, pod IP address and port are added instead of NodeIP and NodePort as service group members.

• IGNORE_NODE_EXTERNAL_IP: While adding NodeIP for services of type LoadBalancer or NodePort on an external tier-1 Citrix ADC, the Citrix ingress controller prioritizes an external IP address over an internal IP address. When you want to prefer an internal IP address over an external IP address for NodeIP, you can set this variable to True.

Fixed issues

• Now, the --feature-node-watch argument is supported for Calico CNI.

• Earlier adding a certificate to the Citrix ADC may occasionally fail due to the presence of a stale intermediate CA certificate. Now, the Citrix ingress controller retries to add the certificate after deleting the intermediate CA certificate.

• When you delete OpenShift routes, the Citrix ingress controller may raise an exception. This issue is fixed now.

Release 1.12.2

Version 1.12.2

What's New

LDAP authentication support

Lightweight directory access protocol (LDAP) is an open and industry standard application protocol for accessing and maintaining distributed directory information services. A common use of LDAP is to provide a central place to store your user names and passwords. Now, the Auth CRD supports LDAP authentication. For more information, see the Auth CRD documentation.

Ingress status update for sidecar deployments

In cloud deployments, there are situations where a Citrix ADC CPX running along with the Citrix ingress controller is exposed using a cloud load balancer. In such scenarios, you can now update the ingresses that are configured on the Citrix ADC CPX with the IP address or host name of the cloud load balancer.

For more information, see the Ingress status update for sidecar deployments.

Enhancements

Shorter entity names

When the Citrix ingress controller adds the Citrix ADC entities, the previous naming format may result in ADC entities with large names even exceeding the name limits in Citrix ADC. Now, the naming format in the Citrix ingress controller is updated to shorten the entity names. In the updated naming format, a part of the entity name is hashed and all the necessary information is provided as part of the entity comments. For more information, see Entity name change.

Fixed issues

When the Citrix ingress controller tries to bind a server entity to a service group, if a server entity with the same IP address but a different name already exists, Citrix ADC throws an error. Now, this issue is fixed and the server is bound to the service group with the name of the existing server.

Helm chart specific changes

For Helm chart specific changes, see the Helm chart release notes.

Release 1.11.3

Version 1.11.3

What's New

Deploy API gateway using GitOps

With the GitOps solution for API gateway, you can use the API specification information created by developers for configuring API gateway policies. The GitOps mechanism is used to deliver the API specification document to the deployment environment.
Using the API gateway CRD provided as part of this solution, you can automatically bind single or multiple API gateway policies to APIs and apply them.

For more information, see Deploy API gateway using GitOps.

SAML authentication support

Security assertion markup language (SAML) is an XML-based open standard which enables authentication of users across products or organizations. Now, the Auth CRD supports SAML authentication. For more information, see the Auth CRD documentation.

Configure bot management policies

A bot is a software application that automates manual tasks. Using bot management policies, you can allow useful bots to access your cloud native environment and block access to the malicious bots. Now, you can configure bot management policies using the Bot CRD.
For more information, see the Bot CRD documentation.

Fixed issues

• The Citrix ingress controller was not updating Citrix ADC VPX with routes of the new nodes that were getting added to the Kubernetes cluster. This issue is fixed now.

• The Citrix ingress controller was not configuring all the endpoints if an endpoint event came before a service event. This issue is fixed now.

Release 1.10.2

Version 1.10.2

What's New

BGP advertisement of external IP addresses using Citrix ADC CPX

Earlier, to expose the service of type LoadBalancer in an on-prem environment an external Citrix ADC VPX or MPX was required. Now, the Citrix ingress controller provides another way to expose the service of type LoadBalancer or ingress resources using Citrix ADC CPX that runs within the Kubernetes cluster and BGP advertisement. The existing BGP fabric to route the traffic to the Kubernetes nodes is leveraged to implement this solution.

For more information, see BGP advertisement of external IP addresses using Citrix ADC CPX.

Service class

When services of type LoadBalancer are deployed, the Citrix ingress controller processes all such services and configures them on Citrix ADCs. Now, you have the option to associate only specific services to a Citrix ingress controller instance using the service class feature.

For more information, see Service class for services of type LoadBalancer.

Support for redirecting insecure traffic for a service of type LoadBalancer

For a service of type LoadBalancer, there may be scenarios where you want to redirect the traffic from a non-secure port to a secure port.
You can redirect the incoming traffic to a secure port using the service.citrix.com/insecure-redirect annotation. For more information, see Annotations.

Fixed issues

• For service of type LoadBalancer deployment in a Google Anthos cluster, the IP address assigned by the IPAM controller does not get updated in the EXTERNAL-IP field of the service. This issue is fixed now.

• When the ingress resource is updated, the load balancing monitor (lb monitor) parameters in a Citrix ADC which is specified as part of the ingress.citrix.com/monitor annotation were not updating correctly. This issue is fixed now.

• When the ingress resource is deleted, the load balancing monitor in Citrix ADC which is specified as part of the ingress.citrix.com/monitor annotation was not getting deleted. This issue is fixed now.

• Enhanced the Citrix ingress controller error logging to provide detailed information about the possible error conditions.

Helm chart specific changes

For Helm chart specific changes, see the Helm chart release notes.

Release 1.9.20

Version 1.9.20

What's New

Now, when you configure the Ingress rules for the Citrix ingress controller, you can provide a service port name or the port number for the back end service. Earlier, only the port number was supported. For more information, see Multi-port services support.

Fixed issues

• Now, the Citrix ingress controller CRD infrastructure processes services and endpoints only if they are referred through a CRD. This change reduces the number of logs.
• Better session management in the Citrix Ingress controller for configuring Citrix ADC.
• Under certain scenarios, the Citrix ingress controller was not configuring service group members properly on Citrix ADC and some of the service group members were missing. This issue is fixed now

Helm chart specific changes

For Helm chart specific changes, see the Helm chart release notes.

Release 1.9.9

Version 1.9.9

What's New

SSL certificate for services of type LoadBalancer through the Kubernetes secret resource

Earlier, the certificate for a service of type LoadBalancer with the SSL and SSL_TCP service type was specified using annotations. Now, certificates for front end and back end for a type LoadBalancer service can also be specified through the Kubernetes secret resource. Also, new annotations have been added to support a pre-configured certificate for the type LoadBalancer for front end and back end objects.

For more information, see SSL certificate for services of type LoadBalancer through the Kubernetes secret resource.

Fixed issues

• Earlier the Citrix ingress controller was listening for continuous stream of deployment events which may build up memory and can delay the processing of ingress events in certain cases. With this feature, the Citrix ingress controller listens for deployment events and continuous deployment CRD events only if the –enable-canary argument is specified.

• Sometimes, the Citrix ingress controller was getting hung and it was not receiving any events. Now, timeouts are added so that the Citrix ingress controller can recover and reconnect if the connection with the Kubernetes API server gets hung.

• Better optimisation in terms of processing Kubernetes deployment and secret events.

• When the monitoring method is specified as HTTP in a global traffic policy (GTP) CRD instance, the Citrix multi-cluster GSLB controller was configuring the HTTP monitor, but not specifying the host header. With this fix, the host header is configured when the monitoring method is specified as HTTP.

Known issues

When you use the latest Citrix ADC CPX release (13.0.64.35) with the Citrix ingress controller, the UDP ingress feature is not working.

Helm chart specific changes

For Helm chart specific changes, see the Helm chart release notes.