Citrix ADC integration with Istio
Table of Contents
- Citrix ADC as an Ingress Gateway for Istio
- Citrix ADC as a Sidecar Proxy for Istio
- Deployment Options
- Release Notes
- Code of Conduct
A service mesh is an infrastructure layer that handles communication between microservices and provides capabilities like service discovery, load balancing, security, and monitoring. Istio is an open source and platform-independent service mesh that connects, monitors, and secures microservices. Citrix ADC has advanced traffic management capabilities for enhancing application performance and provides comprehensive security. Citrix ADC integrations with Istio allow you to secure and optimize traffic for applications in the service mesh using Citrix ADC features.
Citrix ADC can be integrated with Istio in two ways:
- Citrix ADC CPX, MPX, or VPX as an Istio Ingress Gateway to the service mesh.
- Citrix ADC CPX as a sidecar proxy with application containers in the service mesh. Both modes can be combined to have a unified data plane solution.
An Istio ingress gateway acts as an entry point for the incoming traffic and secures and controls access to the service mesh from outside. It also performs routing and load balancing. Citrix ADC CPX, MPX, or VPX can be deployed as an ingress gateway to the Istio service mesh.
In Istio service mesh, a sidecar proxy runs alongside application pods and it intercepts and manages incoming and outgoing traffic for applications. Citrix ADC CPX can be deployed as the sidecar proxy in application pods. A sidecar proxy applies the configured routing policies or rules to the ingress and egress traffic from the pod.
For detailed information on the integration of Citrix ADC with Istio Servicemesh, see Architecture. The primary component that enables the integration is
istio-adaptor translates xDS API calls from the Istio control plane into NITRO API calls to the Citrix ADC.
In Istio service mesh, Citrix ADC can act as an Ingress and/or sidecar proxy in the data plane. Citrix ADC can act as an Ingress Gateway for services deployed with or without sidecar (sidecar can be Citrix CPX or Envoy). Below table gives a glimpse about working combinations of Citrix ADC and Envoy proxy.
|Ingress Gateway||Sidecar Proxy||Supported|
|Citrix ADC||Citrix ADC CPX||Yes|
|Envoyproxy||Citrix ADC CPX||Yes|
You can deploy Citrix ADC with Istio using Kubernetes YAML or Helm charts. To deploy Citrix ADC with Istio using Kubernetes YAML, see Deployment.
To deploy Citrix ADC with Istio using Helm charts, see the following links:
- Deploy Citrix ADC as an Ingress Gateway using Helm charts
- Deploy Citrix ADC CPX as a sidecar using Helm charts
Features supported on Citrix ADC in Istio Servicemesh can be broadly categorized in below sections.
- Traffic Management
Citrix ADC supports following traffic management features in Istio.
- Service discovery
- Load balancing
- Secure Ingress
- Weighted clusters
- HTTP rewrite
- HTTP redirect
- HTTP fault injection
SSL/TLS Certificates required for applications are maintained and managed by Citadel in Istio control plane. Few important features supported on Citrix ADC are:
- End user authentication or origin authentication using JWT authentication
- Transport authentication or service-to-service authentication using mutual TLS
Monitoring of Istio certificates and keys
Istio-adaptor monitors the folder where Istio deploys certificates and keys for mutual TLS authentication between Citrix ADC proxies. After an update of certificate and key, Istio-adaptor loads the new certificate and key to Citrix ADC.
Statistical data of Citrix ADC Ingress device can be exported to the Prometheus using Citrix ADC Metrics Exporter. Prometheus already installed as a part of Istio package. By default, Citrix ADC Metrics Exporter is also deployed along with Citrix ADC Ingress Gateway. Citrix ADC Metrics Exporter fetches statistical data from Citrix ADC and exports it to Prometheus running in Istio service mesh. When you add Prometheus as a data source in Grafana, you can visualize this statistical data in the Grafana dashboard.
The detailed list of fields supported on Citrix ADC as per the Istio CRDs (Destination Rule, Virtual Service, Policy, Gateway, Service Entry) can be found here.
Click here for the release notes of the latest Citrix
Contributions are always welcome! Please read the Developer Guide.
For questions and support, the following channels are available:
To request an invitation to participate in the Slack channel, provide your email address using this form: https://podio.com/webforms/22979270/1633242
Please report issues in detail. Use the following command to collect the logs:
Get Logs: kubectl logs <podname> -c istio-adaptor -n <namespace> > log_file
This project adheres to the Kubernetes Community Code of Conduct. By participating in this project, you agree to abide by its terms.
citrix-istio-adaptor is licensed with Apache License 2.0