Release 1.29.5

Version 1.29.5

Fixed issues

• If an ingress has an empty TLS section, Citrix ingress controller was configuring CS virtual server as SSL type by default. Now, Citrix ingress controller will create SSL virtual server only if a default certificate is provided.
• CS virtual server creation was failing for the Ingress resource when an application is exposed with ANY as protocol and port as * in the Ingress resource. This issue is now fixed.
• Citrix ingress controller was not fully provisioning the SSL profile after the Citrix ADC CPX restart. This issue is fixed now.

Release 1.28.2

Version 1.28.2

Enhancements

Deploying Citrix ingress controller with minimal privileges

• A new environment variable SCOPE is introduced. You can set the value of the SCOPE environment variable as local or cluster. When you set this variable as local, Citrix ingress controller is deployed with a Role binding that has limited privileges. You can use this option when you want to deploy Citrix ingress controller with minimal privileges for a particular namespace with Role binding. By default, the value of SCOPE is set as cluster and Citrix ingress controller is deployed with the ClusterRole binding. For more information, see deploy Citrix ingress controller for a namespace.

OpenShift Operator version update

• Citrix ingress controller OpenShift Operator version is now updated to 1.28.2.

Fixed issues

• When Citrix IPAM controller is already configured and Citrix ingress controller is provided with NS_VIP and NS_SVC_LB_DNS_REC, DNS records were getting created spuriously even for virtual IP addresses assigned using NS_VIP. This behavior was occurring for services of type LoadBalancer. Now, DNS address records are added on Citrix ADC only for the IP addresses assigned by Citrix IPAM controller.

Known issues

• RBAC Role does not support kind: IngressClass.

Release 1.27.15

Version 1.27.15

What's new

Configuring wildcard DNS domains through Citrix ADC ingress controller

Wildcard DNS domains are used to handle requests for non-existent domains and subdomains. Now, Citrix ingress controller supports configuring wildcard DNS domains on a Citrix ADC. A new CRD wildcarddnsentry is introduced to support wildcard DNS domains.

For more information, see Configuring wildcard DNS domains through Citrix ADC ingress controller.

Open policy agent support for Kubernetes with Citrix ADC

Open policy agent (OPA) is an open source, general-purpose policy engine that unifies policy enforcement across different technologies and systems. Now, Citrix ingress controller supports OPA through the HTTP callout.

For more information, see Open policy agent support for Kubernetes with Citrix ADC.

Fixed issues

• When distributed tracing is enabled for service mesh lite deployments, the service parameter was mandatory in the analytics configuration ConfigMap. If the service parameter is missing, distributed tracing was not working. This issue is fixed now.
• Canary header values at Citrix ADC are not updated when the existing ingress is updated with new Canary header values using the Ingress annotation. This issue is fixed now.
• For service mesh lite deployments, service group members were not binding earlier. This issue is fixed now.
• During Citrix ingress controller boot-up pre-validation checks, tracebacks were happening while checking connection with Citrix ADC. This issue is fixed now.
• Bot management policies were not getting configured on Citrix ADC VPX version 13.0 with the latest Citrix ingress controller versions. This issue is fixed now.
• Citrix ingress controller now gracefully handles unauthorized access to the Kubernetes API server due to the token expiry.

Enhancements

• A new environment variable OPTIMIZE_ENDPOINT_BINDING is introduced to enable or disable binding of back-end endpoints to a service group in a single API call. This variable is recommended when there are a large number of endpoints (pods) per application. This enhancement is applicable only for Citrix ADC release 13.0–45.7 and higher versions.

Release 1.26.7

Version 1.26.7

What's new

Enhancements

• For HTTP header value-based canary deployments, Citrix ingress controller now supports multiple canary header values as a list of strings. Previously, only one HTTP header value was supported. For more information, see Simplified canary deployment using Ingress annotations.

• You can now add DNS records for a service of type LoadBalancer on Citrix ADC by configuring the NS_SVC_LB_DNS_REC environment variable. Earlier, adding DNS records on Citrix ADC was supported only for Ingress resources. For more information, see Adding DNS records for services of type LoadBalancer.

Helm chart-specific changes

For Helm chart-specific changes, see the Helm chart release notes.

Release 1.25.6

Version 1.25.6

What's new

Consistent hashing algorithm support

Consistent hashing algorithms are mostly used for load balancing cache servers to achieve stateless persistency.
Consistent hashing can ensure that when a cache server is removed, only the requests cached in that specific server is rehashed and the rest of the requests are not affected.
You can now configure the consistent hashing algorithm on Citrix ADC using Citrix ingress controller.

For more information, see the consistent hashing algorithm support.

AppQoE support

You can configure the request-retry feature on Citrix ADC to forward the client request to the next available backend server whenever there is a connection failure to the backend server. Using the AppQoE CRD provided by Citrix, you can now configure request-retry policies on Citrix ADC with Citrix ingress controller. The AppQoE CRD enables the communication between the Citrix ingress controller and Citrix ADC for enforcing AppQoE policies.

For more information, see the AppQoE support documentation.

Enhancements

• Citrix ingress controller logs are enhanced to indicate the missing subnet IP address (SNIP) information on Citrix ADC.
• A new key service is added under the endpoint parameter for analytics configuration using ConfigMap. You can specify an IP address or service name of the Citrix ADC observability exporter service depending on whether the service is running on a virtual machine or as a Kubernetes service.
• Now, you can configure the NS_NITRO_READ_TIMEOUT parameter to configure the Citrix ingress controller timeout for NITRO API calls. The default value for timeout is 20 seconds.

Fixed issues

• Earlier, Citrix ingress controller was configuring services even when the service port information is incorrect in the Ingress resource definition. This issue is fixed now.

• The functionality for logging packets to support observability was missing in the Ratelimit CRD. This issue is fixed now.

• Ingress class for associating the rewrite and responder CRD to the ingress controller was missing. This issue is fixed now.

• The servicenames section was made non-mandatory for the Auth CRD so that the Auth CRD can be referred via annotation in the Ingress.

Helm chart specific changes

For Helm chart-specific changes, see the Helm chart release notes.

Release 1.24.4

Version 1.24.4

What's new

Auth expression support

Auth CRD now supports authentication and authorization policies with Citrix ADC expression syntax.
For more information, see Authentication and authorization policies for Kubernetes with Citrix ADC.

Fixed issues

• When a Kubernetes service is deployed on OpenShift with OVN CNI, Citrix ingress controller was failing with an exception. Now, this issue is fixed.

Helm chart specific changes

For Helm chart-specific changes, see the Helm chart release notes.

Release 1.23.10

Version 1.23.10

What's new

Listener CRD support for Ingress using annotations

Citrix ingress controller already provides content routing CRDs such as the Listener CRD for front-end configurations and HTTProute for back-end routing logic. Now, Listener CRD can be applied for Ingress resources using an annotation provided by Citrix. Through this feature, you can use the Listener CRD for your Ingress resource and separate the creation of the front-end configuration from the Ingress definition. Hence, NetOps can separately define the Listener resource to configure front-end IP, certificates, and other front-end parameters (TCP, HTTP, and SSL). Any configuration changes can be applied to the listener resources without changing each Ingress resource.

For more information, see Listener CRD support for Ingress using annotation.

Support for setting log format as JSON

Now, you can view Citrix ingress controller log messages in JSON format. For more information, see ConfigMap support.

Fixed issues

• Earlier, if an Ingress resource and an OpenShift route have the same name and the OpenShift route does not belong to a valid route sharding then the ingress resource was getting unconfigured. This issue is fixed now.

• When a service of the type LoadBalancer was modified and the IPAM controller was used for the IP address configuration, Citrix ingress controller was repeatedly configuring and unconfiguring the service earlier. This issue is fixed now

• Earlier, while deploying the latest version of the multi-cluster ingress controller the following error was getting displayed:
  AttributeError: 'IngressCRDInstance' object has no attribute 'listener_mode'. Now, this issue is fixed.

• When Citrix ADC was rebooting, the following traceback was getting displayed earlier:
  TypeError: ‘NoneType’ object is not iterable. Now, this issue is fixed.

• After the re-creation of Ingress, CRD policies were not getting bound to load balancing virtual servers. This issue is now fixed.

Release 1.22.7

Version 1.22.7

What's new

Apply CRDs through annotations

You can now apply policies such as rewrite responder, rate limit, auth, WAF, and bot for ingress resources and services of type load balancer by referring them using annotations. Using this feature, when there are multiple services in an Ingress resource, you can apply CRDs for a specific service or all the services based on your requirements. For more information, see Apply CRDs through annotations.

Fixed issues

• For deployments where Citrix ADC CPX acts as tier 1 ADC, endpoints were not getting added if Citrix IPAM controller is not deployed. This issue is fixed now.

Release 1.21.9

Version 1.21.9

Enhancements

• Citrix ingress controller now supports WAF features such as request side streaming, configuring RFC profile, and grammar-based SQL injection detection support. For more information, see the example YAML file. See, configuring web application firewall policies for information on how to configure WAF.
• Previously Ingress status was updated with an external IP address only when Citrix ingress Controller is started with the –update-ingress-status argument configured as yes. Now, Ingress status is updated with an external IP address by default for tier-1 deployments. This argument –update-ingress-status configured as yes is required for tier-2 deployments with Citrix ADC CPX for updating the ingress status with external IPs.
• For multi-cluster Ingress, Citrix ingress controller now supports HTTPS monitors with SNI enabled by default during the TLS handshake.
• For multi-cluster Ingress, Citrix ingress controller now supports source IP persistence. For more information, see the multi-cluster ingress documentation.
• Citrix ingress controller feature-node-watch now supports OpenShift OVN CNI.

Fixed issues

• Earlier, OpenShift feature-node-watch was not configuring the correct routes on the Citrix ADC after the node modify event for OpenShift-SDN CNI. This issue is now fixed.
• Sometimes Listener CRD was failing to create cipher groups due to the name size limit of 39 characters. This issue is fixed by using the hash to limit the name size to 39 characters.
• The ingress.citrix.com/csvserver annotation was getting applied only when the first ingress belonging to the content switching virtual server is created. Now, this annotation gets applied regardless of the order of ingresses.
• In the Citrix ADC CPX BGP deployment, the service of type LoadBalancer status was not getting updated with external IP sometimes. This issue is fixed.
• Citrix ingress controller now supports the modification of service of type LoadBalancer by clearing the stale entries in Citrix ADC. This modification includes any port group and annotation modifications.
• While adding domain name servers through ConfigMap for tier 1 Citrix ADC, the existing domain name server configuration on Citrix ADC VPX was getting deleted if the existing configuration was not specified as part of the ConfigMap. Now, this issue is fixed.
• Earlier, When Citrix ingress controller was configuring existing alternate backend routes on OpenShift during boot-up, an error keyError: 'weighted_abpol' may occur. Now, it is fixed.

Release 1.20.5

Version 1.20.5

What's New

Traffic management for external services

Sometimes, the available services of an application may be deployed outside the Kubernetes cluster. In such cases, you need a way to resolve domain names for external services and require features such as traffic management. Now, you can configure Citrix ADC as the domain name resolver for external services and enable traffic management. For more information, see Traffic management for external services.

Enhancements

• You can now disable API certificate verification while communicating with the API server from Citrix ingress controller or multi-cluster ingress. For more information, see Disable API certificate verification.

Known issues

From Citrix ingress controller version 1.20.5, the support for adding domain name servers through ConfigMap is added for tier 1 Citrix ADC. However, the existing domain name server configuration on Citrix ADC VPX may get deleted if not specified as part of the ConfigMap. As a workaround, you should make sure that all the domain name servers that are expected in Citrix ADC VPX (including the domain names which are already present) are added to the ConfigMap by specifying the domain name server IP addresses. These domain name servers are automatically configured and managed by Citrix ingress controller.