ON THIS PAGE
Deploying Service Chain (cSRX) with JCNR
Starting Release 23.4, the Juniper Cloud-Native Router (JCNR) can be integrated with Juniper's containerized SRX (cSRX) platform to provide security services such as IPsec. This functionality is achieved using host-based service chaining. The cloud-native router is chained with a security service instance (cSRX) in the same Kubernetes cluster. The cSRX instance runs as a pod service in L3 mode. The cSRX instance is customized and deployed via a helm chart that you download from the Juniper Networks software download site.
Customize cSRX Helm Chart
The cSRX service chaining instance is deployed via a helm chart. The configuration
parameters are provided via the values.yaml manifest file. The deployment
consists of two essential components:
-
csrx-init: This is an init container that prepares the configuration for the main cSRX application. It extracts the necessary information from the
values.yamlmanifest file, processes it, and generates the configuration data for cSRX. This ensures that the main cSRX application starts with a valid, up-to-date configuration. -
csrx: The csrx is the main application container and the core component of the cSRX deployment. It relies on the configuration provided by the
csrx-initcontainer to function correctly.
You can customize the cSRX deployment by specifying a range of configuration parameters in
the values.yaml manifest file. Key configuration options include:
-
interfaceType: This is the type of interface on the cSRX to connect to JCNR. Must be set to
vhostonly. -
interfaceConfigs: This is an array defining the interface IP address, gateway address and optionally routes. The interface IP must match the
localAddresselement in theipSecTunnelConfigsarray. The routes should contain prefixes to steer decrypted traffic to JCNR and reachability route for IPSec gateway. -
ipSecTunnelConfigs: This is an array defining the IPsec configuration details such as ike-phase1, proposal, policy and gateway configuration. Traffic selector should contain traffic that is expected to be encrypted.
-
jcnr_config: This is an array defining the routes to be configured in JCNR to steer traffic from JCNR to cSRX and to steer IPsec traffic from the remote IPsec gateway to the cSRX to apply the security service chain.
Here is a sample values.yaml for cSRX deployment:
# Default values for cSRX.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
common:
registry: enterprise-hub.juniper.net
repository: jcnr-container-prod
csrxInit:
image: junos-csrx-init
tag: 23.4R1.9
imagePullPolicy: IfNotPresent
resources:
#limits:
# memory: 1Gi
# cpu: 1
#requests:
# memory: 1Gi
# cpu: 1
csrx:
image: junos-csrx
tag: 23.4R1.9
imagePullPolicy: IfNotPresent
resources:
limits:
hugepages-1Gi: 4Gi
memory: 4Gi
requests:
hugepages-1Gi: 4Gi
memory: 4Gi
# uncomment below if you are using a private registry that needs authentication
# registryCredentials - Base64 representation of your Docker registry credentials
# secretName - Name of the Secret object that will be created
#imagePullSecret:
#registryCredentials: <base64-encoded-credential>
#secretName: regcred
# nodeAffinity: Can be used to inject nodeAffinity for cSRX
# you may label the nodes where we wish to deploy cSRX and inject affinity accordingly
#nodeAffinity:
#- key: node-role.kubernetes.io/worker
# operator: Exists
#- key: node-role.kubernetes.io/master
# operator: DoesNotExist
#- key: kubernetes.io/hostname
# operator: In
# values:
# - example-host-1
replicas: 1
interfaceType: "vhost"
interfaceConfigs:
- name: eth1
ip: 171.1.1.1/30 # should match ipSecTunnelConfigs localAddress if configured
gateway: 171.1.1.2 # gateway configuration
#ip6: 171:1:1::1/64 # optional
#ip6Gateway: 171:1:1::2 # optional
routes: # this field is optional
- "181.1.1.0/24"
#- "200.1.1.0/24"
- name: eth2
ip: 1.21.1.1/30 # should match ipSecTunnelConfigs localAddress if configured
gateway: 1.21.1.2 # gateway configuration
#ip6: 181:2:1::1/64 # optional
#ip6Gateway: 181:2:1::2 # optional
routes: # this field is optional
- "222.1.1.0/24"
#- "192.1.1.0/24"
ipSecTunnelConfigs: # untrust
- interface: eth1 ## section ike-phase1, proposal, policy, gateway
gateway: 181.1.1.1
localAddress: 171.1.1.1
authenticationAlgorithm: sha-256
encryptionAlgorithm: aes-256-cbc
preSharedKey: "$9$zt3l3AuIRhev8FnNVsYoaApu0RcSyev8XO1NVYoDj.P5F9AyrKv8X"
trafficSelector:
- name: ts1
localIP: 222.1.1.0/24 ## IP cannot be 0.0.0.0/0
remoteIP: 111.1.1.0/24 ## IP cannot be 0.0.0.0/0
jcnr_config:
- name: eth2
routes:
- "111.1.1.0/24"
csrx_ctrl_cpu: "0x01"
csrx_data_cpu: "0x0A"Install cSRX
The cSRX service chain is deployed after the JCNR deployment. Read this section to install the cSRX instance.
Download the cSRX installation bundle from the Juniper Networks software download site. The file that you download is called junos_csrx_<release>.tar.gz. After downloading the file, expand it and change into the junos_csrx_release_number directory.
- The cSRX container images are required for deployment. You may choose one of the
following options:
- Download and deploy images from the Juniper
repository—
enterprise-hub.juniper.net. See Configure Repository Credentials for instructions on how to configure repository credentials in the deployment helm chart. - You can upload the cSRX images either to a local docker or to your own docker
respository using the
docker loadcommand. The images are available in the junos_csrx_release_number/images directory.docker load -i images/csrx-images.tgz
- Download and deploy images from the Juniper
repository—
- Enter the cSRX license into the
secrets/csrx-secrets.yamlfile. You must enter the password and license in base64 encoded format. You can view the sample contents of thecsrx-secrets.yamlfile below:apiVersion: v1 kind: Secret metadata: name: service-chain-instance namespace: jcnr data: csrx_license: | <add your license in base64 format>To encode the license file, copy the license file onto your host server and issue the command:
base64 -w 0 licenseFile
You must copy the base64 output and paste it into the
secrets/csrx-secrets.yamlfile in the appropriate location.Note:You must obtain your license file from your account team and install it in the secrets.yaml file as instructed above. The csrx-init container performs a license check and proceeds only if the required secret
service-chain-instanceis found. Apply the
csrx-secrets.yamlto the Kubernetes system.kubectl apply -f secrets/secrets.yaml secret/service-chain-instance created
Ensure all components of JCNR are up and running before installing the cSRX instance.
Ensure you have customized the cSRX helm chart. Navigate to the junos_csrx_release_number/helmchart directory. Expand the bundle to view the helmcharts. Refer to the example given above to configure the values.yaml. Navigate to the junos_csrx_release_number/helmchart/junos-csrx directory and issue the following command to install the cSRX instance.
helm install csrx .