Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    FortiADC Kubernetes Controller in OpenShift Deployment Guide

    Home FortiADC Kubernetes Controller FortiADC Kubernetes Controller in OpenShift Deployment Guide

    Installation in Static Route Mode

    Installation in Static Route Mode

    In Static Route mode, the FortiADC Kubernetes Controller configures static route entries for each node's pod network subnet and node IP on FortiADC when the first OpenShift Route is deployed to the OpenShift Container Platform cluster. These static routes remain in place until the last OpenShift Route is removed.

    Supported OpenShift version

    The FortiADC Kubernetes connector with Static Routes supports OpenShift Container Platform versions 4.13 to 4.19.x.

    Installing FortiADC Kubernetes Controller in OpenShift with Static Route

    Install FortiADC Kubernetes Controller on OpenShift Container Platform 4 using Helm Charts.

    Currently, only Helm 3 (version 3.6.3 or later) is supported.

    Helm Charts ease the installation of FortiADC Kubernetes Controller in the OpenShift cluster. By using the Helm 3 installation tool, most of the OpenShift objects required for FortiADC Kubernetes Controller can be deployed in one simple command.

    The OpenShift objects required for FortiADC Kubernetes Controller are listed below:

    OpenShift object

    Description
    Deployment By configuring the replica and pod template in the OpenShift deployment, the deployment ensures FortiADC Kubernetes Controller provides a non-terminated service.
    Service Account The service account is used in FortiADC Kubernetes Controller.
    Cluster Role A cluster role defines the permission on the OpenShift cluster-scoped Routes-related objects.
    Cluster Role Binding The cluster role is bound to the service account used for FortiADC Kubernetes Controller, allowing FortiADC Kubernetes Controller to access and operate the OpenShift cluster-scoped Routes-related objects.
    Ingress Class The IngressClass "fadc-ingress-controller" is created for FortiADC Kubernetes Controller to identify the Ingress resource. If the Ingress is defined with the IngressClass "fadc-ingress-controller", FortiADC Kubernetes Controller will manage this Ingress resource as FortiADC Kubernetes Controller also supports Ingress in the OpenShift cluster.

    The Helm Chart is composed of a collection of files that describe the related set of OpenShift files required by FortiADC Kubernetes Controller; one of which is the values.yaml file that provides the default configuration for deploying the OpenShift objects listed above.

    Below lists parts of the values in the values.yaml file.

    # Default values for fadc-k8s-ctrl.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# FortiADC Kubernetes Controller image from Dockerhub.com
image:
  repository: fortinet/fortiadc-ingress
  pullPolicy: IfNotPresent
  tag: "3.1.0"

serviceAccount:
  create: true
  annotations: {}
  name: "fortiadc-ingress"
tolerations:
  - effect: "NoExecute"
    key: "node.kubernetes.io/not-ready"
    operator: "Exists"
    tolerationSeconds: 30
  - effect: "NoExecute"
    key: "node.kubernetes.io/unreachable"
    operator: "Exists"
    tolerationSeconds: 30
# Define Ingress Class for FortiADC Kubernetes Controller
controller:
  ingressClassResource:
    name: "fadc-ingress-controller"
    enabled: true
    default: true
    controllerValue: "fortinet.com/fadc-ingress-controller"
# You can decide parameters defined in annotation of Ingress to be optional or mandatory.
# FortiADC Kubernetes Controller will check the parameter if it marks mandatory.
parameters:
  virtualServerNatSrcPool : "optional"
  virtualServerWafProfile : "optional"
  virtualServerAvProfile : "optional"
  virtualServerDosProfile : "optional"
  virtualServerCaptchaProfile : "optional"
  virtualServerPersistence : "optional"
  virtualServerFortiGSLB : "optional"
  openshiftRouteSupport: "no"
  enableStaticRouteSupport: "no"
webhook: 
  useCertManager: true  
  service:  
    name: fad-webhook 
    port: 443  
    targetPort: 8443 
  tlsSecretName: webhook-tls 
  validatingWebhookName: validator.fadk8sctrl.fortinet.com 
  mutatingWebhookName: mutator.fadk8sctrl.fortinet.com  
  rules:  
  validating:  
    - name: validate-vs.fadk8sctrl.fortinet.com  
      group: fadk8sctrl.fortinet.com  
      version: v1alpha2  
      resources:  
        - virtualservers 
      scope: "Namespaced"  
      path: /validate-vs  
    - name: validate-ingress.fadk8sctrl.fortinet.com  
      group: networking.k8s.io  
      version: v1  
      resources:  
        - ingresses  
      scope: "Namespaced"  
      path: /validate-ingress  
    mutating: 
      - name: mutate-vs.fadk8sctrl.fortinet.com  
        group: fadk8sctrl.fortinet.com  
        version: v1alpha2 
        resources:  
          - virtualservers  
        scope: "Namespaced" 
        path: /mutate-vs 

    In some scenarios, you may want to override some of the values included in the values.yaml, such as for the toleration seconds or parameter properties. As the values.yaml file is packed in the Helm Chart package, you can override the values when installing or upgrading the Helm Chart (see Install the Helm Chart and Upgrade the Helm Chart). For more details on the parameters, see Configuration parameters.

    Install the Helm Chart

    curl -L https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/helm-linux-amd64 -o /usr/local/bin/helm
chmod +x /usr/local/bin/helm
helm version

    For more details, see the OpenShift documentation on Helm Chart installation:
    https://docs.openshift.com/container-platform/4.9/applications/working_with_helm_charts/installing-helm.html

    Install cert-manager.io

    Starting with FortiADC Kubernetes Controller version 3.1, a webhook server is introduced. A cert-manager installation is required to generate the self-signed certificate used for the TLS connection between the Kubernetes API server and the webhook server.

    Before installing FortiADC Kubernetes Controller 3.1 or later, or upgrading to version 3.1 or later, install cert-manager by following the official installation guide at https://cert-manager.io/docs/installation/.

    Compatibility has been verified with cert-manager v1.19.1.

    helm repo add jetstack https://charts.jetstack.io  
helm repo update  
helm install --debug cert-manager jetstack/cert-manager \  
    --namespace cert-manager \  
    --create-namespace \  
    --version v1.19.1 \ 
    --set crds.enabled=true 

    Get Repo Information

    To get the repository information:

    helm repo add fortiadc-kubernetes-controller https://fortinet.github.io/fortiadc-kubernetes-controller/
helm repo update

    Installation parameters

    To support Routes in OpenShift Container Platform, the openshiftRouteSupport parameter is added for installation. The default value of openshiftRouteSupport is no.

    Starting from version 3.0.0, the security level of the FortiADC Kubernetes Controller has been increased. When deploying in OpenShift environments, you must set openshiftRouteSupport to yes to ensure a secure installation and prevent installation failure.

    To enable FortiADC Kubernetes Controller with static route, the enableStaticRouteSupport parameter is added for installation. The default value of enableStaticRouteSupport is no.

    To enable static route in OpenShift Container Platform 4, both openshiftRouteSupport and enableStaticRouteSupport must be set to yes.

    Install and Update the Helm Chart

    You can specify a particular OpenShift Project in which FortiADC Kubernetes Controller will be deployed. Note that OpenShift Project is equal to Kubernetes Namespace.

    By default, if no OpenShift Project is specified, the default project would be "default". The RELEASE_NAME is the name you give to this chart installation.

    Try with the following command to enable OpenShift Routes support in FortiADC Kubernetes Controller.

    helm install --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes" \
--namespace [OpenShift Project] [RELEASE_NAME] fortiadc-kubernetes-controller/fadc-k8s-ctrl

    In the example below, the Helm chart is installed with the release name “first-release” in the OpenShift project “fortiadc- ingress”.

    helm install --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes"
--namespace fortiadc-ingress first-release fortiadc-kubernetes-controller/fadc-k8s-ctrl

    If you want to override values in the Helm Chart, you can add --set flags in the command. In the example below, you can set the virtualServerWafProfile parameter as mandatory.

    helm install --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes" \
--set parameters.virtualServerWafProfile="mandatory" \
--namespace fortiadc-ingress first-release fortiadc-kubernetes-controller/fadc-k8s-ctrl

    Moreover, you can create a new project and deploy FortiADC Kubernetes Controller within the project at the same time.

    helm install --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes" \ 
--namespace fortiadc-ingress --create-namespace \
first-release fortiadc-kubernetes-controller/fadc-k8s-ctrl

    Upgrade the Helm Chart

    To upgrade the Helm chart, you need to add a parameter.

    helm upgrade --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes" \
[RELEASE_NAME] fortiadc-kubernetes-controller/fadc-k8s-ctrl

    In the example below, you can upgrade the helm chart with the release name “first-release”.

    helm upgrade --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes" \
first-release fortiadc-kubernetes-controller/fadc-k8s-ctrl

    Using the --debug option, you can check the Helm debug information “USER-SUPPLIED VALUES” to check if you have all the value set as you need.

    Release "first-release" has been upgraded. Happy Helming! 
NAME: first-release
LAST DEPLOYED: Fri Aug 4 13:32:10 2023
NAMESPACE: fortiadc-ingress 
STATUS: deployed
REVISION: 2 
TEST SUITE: None
USER-SUPPLIED VALUES:
parameters: 
  virtualServerWafProfile: mandatory 
  openshiftRouteSupport: yes
  enableStaticRouteSupport: yes

    Check the Installation

    The helm history command shows the installation information.

    [root@bastion ~]# helm history first-release
REVISION   UPDATED                    STATUS     CHART                   APP VERSION     DESCRIPTION
1          Wed Jun 12 13:06:27 2024   deployed   fadc-k8s-ctrl-2.0.2-1   2.0.2-1     Install complete

    Check if FortiADC Kubernetes Controller is installed correctly.

    [root@ocpexp openshift]# oc	get deployment	
NAME	                        READY	UP-TO-DATE   AVAILABLE   AGE	
first-release-fadc-k8s-ctrl	1/1	1	     1		 4d17h

    Check the FortiADC Kubernetes Controller log.

    [root@ocpexp openshift]# oc logs first-release-fadc-k8s-ctrl-7cdcfdbdf6-fds6h 
Stopping FortiADC Kubernetes controller 
Starting FortiADC Kubernetes controller
time="2025-08-25T18:46:09Z" level=info msg="Starting FortiADC Kubernetes controller"
time="2025-08-25T18:46:09Z" level=info msg="Routes Monitor Enabled"
time="2025-08-25T18:46:09Z" level=info msg="Static Routes Enabled"
    Previous
    Next

    Installation in Static Route Mode

    Installation in Static Route Mode

    In Static Route mode, the FortiADC Kubernetes Controller configures static route entries for each node's pod network subnet and node IP on FortiADC when the first OpenShift Route is deployed to the OpenShift Container Platform cluster. These static routes remain in place until the last OpenShift Route is removed.

    Supported OpenShift version

    The FortiADC Kubernetes connector with Static Routes supports OpenShift Container Platform versions 4.13 to 4.19.x.

    Installing FortiADC Kubernetes Controller in OpenShift with Static Route

    Install FortiADC Kubernetes Controller on OpenShift Container Platform 4 using Helm Charts.

    Currently, only Helm 3 (version 3.6.3 or later) is supported.

    Helm Charts ease the installation of FortiADC Kubernetes Controller in the OpenShift cluster. By using the Helm 3 installation tool, most of the OpenShift objects required for FortiADC Kubernetes Controller can be deployed in one simple command.

    The OpenShift objects required for FortiADC Kubernetes Controller are listed below:

    OpenShift object

    Description
    Deployment By configuring the replica and pod template in the OpenShift deployment, the deployment ensures FortiADC Kubernetes Controller provides a non-terminated service.
    Service Account The service account is used in FortiADC Kubernetes Controller.
    Cluster Role A cluster role defines the permission on the OpenShift cluster-scoped Routes-related objects.
    Cluster Role Binding The cluster role is bound to the service account used for FortiADC Kubernetes Controller, allowing FortiADC Kubernetes Controller to access and operate the OpenShift cluster-scoped Routes-related objects.
    Ingress Class The IngressClass "fadc-ingress-controller" is created for FortiADC Kubernetes Controller to identify the Ingress resource. If the Ingress is defined with the IngressClass "fadc-ingress-controller", FortiADC Kubernetes Controller will manage this Ingress resource as FortiADC Kubernetes Controller also supports Ingress in the OpenShift cluster.

    The Helm Chart is composed of a collection of files that describe the related set of OpenShift files required by FortiADC Kubernetes Controller; one of which is the values.yaml file that provides the default configuration for deploying the OpenShift objects listed above.

    Below lists parts of the values in the values.yaml file.

    # Default values for fadc-k8s-ctrl.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# FortiADC Kubernetes Controller image from Dockerhub.com
image:
  repository: fortinet/fortiadc-ingress
  pullPolicy: IfNotPresent
  tag: "3.1.0"

serviceAccount:
  create: true
  annotations: {}
  name: "fortiadc-ingress"
tolerations:
  - effect: "NoExecute"
    key: "node.kubernetes.io/not-ready"
    operator: "Exists"
    tolerationSeconds: 30
  - effect: "NoExecute"
    key: "node.kubernetes.io/unreachable"
    operator: "Exists"
    tolerationSeconds: 30
# Define Ingress Class for FortiADC Kubernetes Controller
controller:
  ingressClassResource:
    name: "fadc-ingress-controller"
    enabled: true
    default: true
    controllerValue: "fortinet.com/fadc-ingress-controller"
# You can decide parameters defined in annotation of Ingress to be optional or mandatory.
# FortiADC Kubernetes Controller will check the parameter if it marks mandatory.
parameters:
  virtualServerNatSrcPool : "optional"
  virtualServerWafProfile : "optional"
  virtualServerAvProfile : "optional"
  virtualServerDosProfile : "optional"
  virtualServerCaptchaProfile : "optional"
  virtualServerPersistence : "optional"
  virtualServerFortiGSLB : "optional"
  openshiftRouteSupport: "no"
  enableStaticRouteSupport: "no"
webhook: 
  useCertManager: true  
  service:  
    name: fad-webhook 
    port: 443  
    targetPort: 8443 
  tlsSecretName: webhook-tls 
  validatingWebhookName: validator.fadk8sctrl.fortinet.com 
  mutatingWebhookName: mutator.fadk8sctrl.fortinet.com  
  rules:  
  validating:  
    - name: validate-vs.fadk8sctrl.fortinet.com  
      group: fadk8sctrl.fortinet.com  
      version: v1alpha2  
      resources:  
        - virtualservers 
      scope: "Namespaced"  
      path: /validate-vs  
    - name: validate-ingress.fadk8sctrl.fortinet.com  
      group: networking.k8s.io  
      version: v1  
      resources:  
        - ingresses  
      scope: "Namespaced"  
      path: /validate-ingress  
    mutating: 
      - name: mutate-vs.fadk8sctrl.fortinet.com  
        group: fadk8sctrl.fortinet.com  
        version: v1alpha2 
        resources:  
          - virtualservers  
        scope: "Namespaced" 
        path: /mutate-vs 

    In some scenarios, you may want to override some of the values included in the values.yaml, such as for the toleration seconds or parameter properties. As the values.yaml file is packed in the Helm Chart package, you can override the values when installing or upgrading the Helm Chart (see Install the Helm Chart and Upgrade the Helm Chart). For more details on the parameters, see Configuration parameters.

    Install the Helm Chart

    curl -L https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/helm-linux-amd64 -o /usr/local/bin/helm
chmod +x /usr/local/bin/helm
helm version

    For more details, see the OpenShift documentation on Helm Chart installation:
    https://docs.openshift.com/container-platform/4.9/applications/working_with_helm_charts/installing-helm.html

    Install cert-manager.io

    Starting with FortiADC Kubernetes Controller version 3.1, a webhook server is introduced. A cert-manager installation is required to generate the self-signed certificate used for the TLS connection between the Kubernetes API server and the webhook server.

    Before installing FortiADC Kubernetes Controller 3.1 or later, or upgrading to version 3.1 or later, install cert-manager by following the official installation guide at https://cert-manager.io/docs/installation/.

    Compatibility has been verified with cert-manager v1.19.1.

    helm repo add jetstack https://charts.jetstack.io  
helm repo update  
helm install --debug cert-manager jetstack/cert-manager \  
    --namespace cert-manager \  
    --create-namespace \  
    --version v1.19.1 \ 
    --set crds.enabled=true 

    Get Repo Information

    To get the repository information:

    helm repo add fortiadc-kubernetes-controller https://fortinet.github.io/fortiadc-kubernetes-controller/
helm repo update

    Installation parameters

    To support Routes in OpenShift Container Platform, the openshiftRouteSupport parameter is added for installation. The default value of openshiftRouteSupport is no.

    Starting from version 3.0.0, the security level of the FortiADC Kubernetes Controller has been increased. When deploying in OpenShift environments, you must set openshiftRouteSupport to yes to ensure a secure installation and prevent installation failure.

    To enable FortiADC Kubernetes Controller with static route, the enableStaticRouteSupport parameter is added for installation. The default value of enableStaticRouteSupport is no.

    To enable static route in OpenShift Container Platform 4, both openshiftRouteSupport and enableStaticRouteSupport must be set to yes.

    Install and Update the Helm Chart

    You can specify a particular OpenShift Project in which FortiADC Kubernetes Controller will be deployed. Note that OpenShift Project is equal to Kubernetes Namespace.

    By default, if no OpenShift Project is specified, the default project would be "default". The RELEASE_NAME is the name you give to this chart installation.

    Try with the following command to enable OpenShift Routes support in FortiADC Kubernetes Controller.

    helm install --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes" \
--namespace [OpenShift Project] [RELEASE_NAME] fortiadc-kubernetes-controller/fadc-k8s-ctrl

    In the example below, the Helm chart is installed with the release name “first-release” in the OpenShift project “fortiadc- ingress”.

    helm install --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes"
--namespace fortiadc-ingress first-release fortiadc-kubernetes-controller/fadc-k8s-ctrl

    If you want to override values in the Helm Chart, you can add --set flags in the command. In the example below, you can set the virtualServerWafProfile parameter as mandatory.

    helm install --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes" \
--set parameters.virtualServerWafProfile="mandatory" \
--namespace fortiadc-ingress first-release fortiadc-kubernetes-controller/fadc-k8s-ctrl

    Moreover, you can create a new project and deploy FortiADC Kubernetes Controller within the project at the same time.

    helm install --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes" \ 
--namespace fortiadc-ingress --create-namespace \
first-release fortiadc-kubernetes-controller/fadc-k8s-ctrl

    Upgrade the Helm Chart

    To upgrade the Helm chart, you need to add a parameter.

    helm upgrade --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes" \
[RELEASE_NAME] fortiadc-kubernetes-controller/fadc-k8s-ctrl

    In the example below, you can upgrade the helm chart with the release name “first-release”.

    helm upgrade --set parameters.openshiftRouteSupport="yes" \
--set parameters.enableStaticRouteSupport="yes" \
first-release fortiadc-kubernetes-controller/fadc-k8s-ctrl

    Using the --debug option, you can check the Helm debug information “USER-SUPPLIED VALUES” to check if you have all the value set as you need.

    Release "first-release" has been upgraded. Happy Helming! 
NAME: first-release
LAST DEPLOYED: Fri Aug 4 13:32:10 2023
NAMESPACE: fortiadc-ingress 
STATUS: deployed
REVISION: 2 
TEST SUITE: None
USER-SUPPLIED VALUES:
parameters: 
  virtualServerWafProfile: mandatory 
  openshiftRouteSupport: yes
  enableStaticRouteSupport: yes

    Check the Installation

    The helm history command shows the installation information.

    [root@bastion ~]# helm history first-release
REVISION   UPDATED                    STATUS     CHART                   APP VERSION     DESCRIPTION
1          Wed Jun 12 13:06:27 2024   deployed   fadc-k8s-ctrl-2.0.2-1   2.0.2-1     Install complete

    Check if FortiADC Kubernetes Controller is installed correctly.

    [root@ocpexp openshift]# oc	get deployment	
NAME	                        READY	UP-TO-DATE   AVAILABLE   AGE	
first-release-fadc-k8s-ctrl	1/1	1	     1		 4d17h

    Check the FortiADC Kubernetes Controller log.

    [root@ocpexp openshift]# oc logs first-release-fadc-k8s-ctrl-7cdcfdbdf6-fds6h 
Stopping FortiADC Kubernetes controller 
Starting FortiADC Kubernetes controller
time="2025-08-25T18:46:09Z" level=info msg="Starting FortiADC Kubernetes controller"
time="2025-08-25T18:46:09Z" level=info msg="Routes Monitor Enabled"
time="2025-08-25T18:46:09Z" level=info msg="Static Routes Enabled"
    Previous
    Next