Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Deploying Service Chain (cSRX) with JCNR

Read this section to learn how to customize and deploy a security services instance (cSRX) with the Cloud-Native Router.

You can integrate the Juniper Cloud-Native Router (JCNR) with Juniper's containerized SRX (cSRX) platform to provide security services such as IPsec. Using host-based service chaining, the cloud-native router is chained with a security service instance (cSRX) in the same Kubernetes cluster. The cSRX instance runs as a pod service in L3 mode. The cSRX instance is customized and deployed via a Helm chart.

You have the option of deploying Juniper cSRX when you're installing Cloud-Native Router or after you've installed JCNR. See Cloud-Native Router Software Download Packages for a description of the available packages.

Install cSRX on an Existing Cloud-Native Router Installation

Follow this procedure to install a cSRX instance on an existing Cloud-Native Router installation. Ensure all Cloud-Native Router components are up and running before you start this procedure.

  1. Download and expand the software package for installing Juniper cSRX on an existing Cloud-Native Router installation. See Cloud-Native Router Software Download Packages for a description of the software packages available.
  2. Change to the junos_csrx_<release>/helmchart directory and expand the Helm chart.
    The Helm chart is located in the junos-csrx directory.
  3. The cSRX container images are required for deployment. Choose one of the following options:

    • Configure your cluster to deploy images from the Juniper Networks enterprise-hub.juniper.net repository. See Configure Repository Credentials for example instructions on how to configure repository credentials in Helm charts.

    • Configure your cluster to deploy images from the image tarball included in the downloaded cSRX software package. See Deploy Prepackaged Images for example instructions on how to import images to the local containerd runtime.

  4. Follow the steps in Apply the cSRX License and Configure cSRX to apply your cSRX license and configure the cSRX Helm chart.
  5. Install cSRX.
    Navigate to the junos_csrx_<release>/helmchart/junos-csrx directory and issue the following command to install the cSRX instance.

Install cSRX During Cloud-Native Router Installation

Follow the steps in the respective Cloud-Native Router installation sections to install JCNR. One of the steps will refer you to Apply the cSRX License and Configure cSRX.

Apply the cSRX License and Configure cSRX

Follow this procedure to apply your cSRX license and configure Juniper cSRX.

The following steps assume you're in the Juniper_Cloud_Native_Router_CSRX_<release> directory if installing cSRX and Cloud-Native Router together, or in the junos_csrx_<release> directory if installing cSRX on an existing Cloud-Native Router installation.

  1. Copy the cluster kubeconfig to all nodes where you want to install the Cloud-Native Router and cSRX combination.
    This step applies to both installing cSRX during Cloud-Native Router installation and installing cSRX on an existing Cloud-Native Router installation. If you don't perform this step, the installation may fail.
    1. Copy the cluster kubeconfig to a location of your choice on the target node.
      For example, the following copies the cluster kubeconfig from its default location at ~/.kube/config to /root/kubeconfig on the target node:where <worker-node-ip> is the IP address of a node where you want to install both Cloud-Native Router and cSRX. Repeat for all nodes where you want to install both Cloud-Native Router and cSRX.
      Note:

      The destination file path must be the same on all target nodes.

    2. After copying the kubeconfig to all target nodes, set kubeConfigPath in values.yaml to the destination file location.
      For example:See Customize cSRX Helm Chart for information on the parameters in values.yaml.
  2. Apply your Juniper cSRX license.
    1. If the secrets/csrx-secrets.yaml doesn't exist in your software package, create it with the contents below:
    2. Encode your license in base64.

      Copy your Juniper cSRX license file onto your host server and issue the command:

      The output of this command is your base64-encoded license.
    3. Replace <add your license in base64 format> with your base64-encoded license.
      Note:

      You must obtain your license file from your account team and install it in the secrets/csrx-secrets.yaml file as instructed above. The csrx-init container performs a license check and proceeds only if the required secret service-chain-instance is found.

    4. Encode your root password in base64. The root password is required for NETCONF access for telemetry.
      Create a text file that contains your root password and then base64-encode it.The output of this command is your base64-encoded root password.
    5. Replace <add your root password in base64 format> with your base64-encoded root password.
    6. Apply the secrets/csrx-secrets.yaml to the Kubernetes cluster.
  3. Configure the cSRX Helm chart.

    • If you're installing cSRX at the same time you're installing JCNR, then you're configuring the junos-csrx section of the combination Helm chart in Juniper_Cloud_Native_Router_CSRX_<release>/helmchart/jcnr_csrx/values.yaml.

    • If you're installing cSRX on an existing Cloud-Native Router installation, then you're configuring the csrx section of the standalone Helm chart in junos_csrx_<release>/helmchart/junos-csrx/values.yaml.

    Refer to the cSRX parameter descriptions in Customize cSRX Helm Chart.

Customize cSRX Helm Chart

The cSRX service chaining instance is deployed via a Helm chart, either a standalone Helm chart or a combined Helm chart with JCNR. The deployment consists of two essential components:

  • csrx-init: This is an init container that prepares the configuration for the main cSRX application. It extracts the necessary information from the values.yaml file, processes it, and generates the configuration data for cSRX. This ensures that the main cSRX application starts with a valid, up-to-date configuration.

  • csrx: The csrx is the main application container and the core component of the cSRX deployment. It relies on the configuration provided by the csrx-init container to function correctly.

You can customize the cSRX deployment by specifying a range of configuration parameters in the values.yaml file. Key configuration options include:

  • kubeConfigPath: This is the path to the cluster kubeconfig file on the node(s) where you're installing Cloud-Native Router and cSRX. You copied the cluster kubeconfig to this file location on this node(s) in step 1 in Apply the cSRX License and Configure cSRX. If this parameter is commented out, then the cluster kubeconfig is assumed to be at /etc/kubernetes/kubelet.conf.

  • interfaceType: This is the type of interface on the cSRX to connect to JCNR. Must be set to vhost only.

  • interfaceConfigs: This is an array defining the interface IP address, gateway address and optionally routes. The interface IP must match the localAddress element in the ipSecTunnelConfigs array. The routes should contain prefixes to steer decrypted traffic to Cloud-Native Router and reachability route for IPSec gateway.

  • ipSecTunnelConfigs: This is an array defining the IPsec configuration details such as ike-phase1, proposal, policy and gateway configuration. Traffic selector should contain traffic that is expected to be encrypted.

  • jcnr_config: This is an array defining the routes to be configured in Cloud-Native Router to steer traffic from Cloud-Native Router to cSRX and to steer IPsec traffic from the remote IPsec gateway to the cSRX to apply the security service chain.

  • telemetry: Enable or disable telemetry.

Here is the default values.yaml for standalone cSRX deployment:

For a cSRX configuration example, see IPsec Security Services in the Juniper Cloud Native Router User Guide.