Deploying Service Chain (cSRX) with JCNR
Read this section to learn how to customize and deploy a security services instance (cSRX) with the Cloud-Native Router.
You can integrate the Juniper Cloud-Native Router (JCNR) with Juniper's containerized SRX (cSRX) platform to provide security services such as IPsec. Using host-based service chaining, the cloud-native router is chained with a security service instance (cSRX) in the same Kubernetes cluster. The cSRX instance runs as a pod service in L3 mode. The cSRX instance is customized and deployed via a Helm chart.
You have the option of deploying Juniper cSRX when you're installing Cloud-Native Router or after you've installed JCNR. See Cloud-Native Router Software Download Packages for a description of the available packages.
cSRX is supported on all Cloud-Native Router platforms:
| Platform | cSRX |
|---|---|
| Bare Metal | Yes |
| Red Hat OpenShift | Yes |
| Amazon EKS | Yes |
| Google Cloud Platform | Yes |
| Wind River Cloud Platform | Yes |
| Microsoft Azure | Yes |
| VMWare Tanzu | Yes |
Install cSRX on an Existing Cloud-Native Router Installation
Follow this procedure to install a cSRX instance on an existing Cloud-Native Router installation. Ensure all Cloud-Native Router components are up and running before you start this procedure.
Install cSRX During Cloud-Native Router Installation
Apply the cSRX License and Configure cSRX
Follow this procedure to apply your cSRX license and configure Juniper cSRX.
The following steps assume you're in the Juniper_Cloud_Native_Router_CSRX_<release> directory if installing cSRX and Cloud-Native Router together, or in the junos_csrx_<release> directory if installing cSRX on an existing Cloud-Native Router installation.
Customize cSRX Helm Chart
The cSRX service chaining instance is deployed via a Helm chart, either a standalone Helm chart or a combined Helm chart with JCNR. The deployment consists of two essential components:
-
csrx-init: This is an init container that prepares the configuration for the main cSRX application. It extracts the necessary information from the values.yaml file, processes it, and generates the configuration data for cSRX. This ensures that the main cSRX application starts with a valid, up-to-date configuration.
-
csrx: The csrx is the main application container and the core component of the cSRX deployment. It relies on the configuration provided by the
csrx-initcontainer to function correctly.
You can customize the cSRX deployment by specifying a range of configuration parameters in the values.yaml file. Key configuration options include:
-
kubeConfigPath: This is the path to the cluster kubeconfig file on the node(s) where you're installing Cloud-Native Router and cSRX. You copied the cluster kubeconfig to this file location on this node(s) in step 1 in Apply the cSRX License and Configure cSRX. If this parameter is commented out, then the cluster kubeconfig is assumed to be at /etc/kubernetes/kubelet.conf.
-
interfaceType: This is the type of interface on the cSRX to connect to JCNR. Must be set to
vhostonly. -
interfaceConfigs: This is an array defining the interface IP address, gateway address and optionally routes. The interface IP must match the
localAddresselement in theipSecTunnelConfigsarray. The routes should contain prefixes to steer decrypted traffic to Cloud-Native Router and reachability route for IPSec gateway. -
enableUserConfig:
-
Set to
falseif you want cSRX to create your IPSec tunnels now during installation. Define your IPSec tunnels in theipSecTunnelConfigssection of this Helm chart. cSRX will automatically create a configlet based on that configuration and apply it for you during cSRX installation. -
Set to
trueif you want to create your IPSec tunnels on your own later. In this case, you don't define youripSecTunnelConfigsin this Helm chart. Instead, you'll define your IPSec configuration directly in a configlet and explicitly apply it anytime after cSRX is installed.
-
-
ipSecTunnelConfigs: This is an array defining the IPsec configuration details such as ike-phase1, proposal, policy and gateway configuration. Traffic selector should contain traffic that is expected to be encrypted. This section is only applicable if
enableUserConfigis set tofalse. -
jcnr_config: This is an array defining the routes to be configured in Cloud-Native Router to steer traffic from Cloud-Native Router to cSRX and to steer IPsec traffic from the remote IPsec gateway to the cSRX to apply the security service chain.
-
telemetry: Enable or disable telemetry.
Here is the default values.yaml for standalone cSRX deployment:
# Default values for cSRX.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Set to true if IPsec tunnels will be configured by user at a later stage
enableUserConfig: false # enable /disable user configuration
common:
registry: enterprise-hub.juniper.net/
repository: jcnr-container-prod/
csrxInit:
repository:
image: csrx-init
tag: 25.2.0.92
imagePullPolicy: IfNotPresent
resources:
#limits:
# memory: 1Gi
# cpu: 1
#requests:
# memory: 1Gi
# cpu: 1
csrx:
repository:
image: csrx
tag: 25.2R1.9
imagePullPolicy: IfNotPresent
resources:
limits:
hugepages-1Gi: 4Gi
memory: 4Gi
requests:
hugepages-1Gi: 4Gi
memory: 4Gi
csrxTelemetry:
repository:
image: contrail-telemetry-exporter
tag: 25.2.0.92
imagePullPolicy: IfNotPresent
resources:
# uncomment below if you are using a private registry that needs authentication
# registryCredentials - Base64 representation of your Docker registry credentials
# secretName - Name of the Secret object that will be created
#imagePullSecret:
#registryCredentials: <base64-encoded-credential>
#secretName: regcred
# nodeAffinity: Can be used to inject nodeAffinity for cSRX
# you may label the nodes where we wish to deploy cSRX and inject affinity accordingly
#nodeAffinity:
#- key: node-role.kubernetes.io/worker
# operator: Exists
#- key: node-role.kubernetes.io/master
# operator: DoesNotExist
#- key: kubernetes.io/hostname
# operator: In
# values:
# - example-host-1
# Toleration allows the cSRX related pods to tolerate nodes with specific taints
#tolerations:
#- key: "csrx"
# operator: "Equal"
# value: "yes"
# effect: "NoSchedule"
enableSecurityALg: false # enable /disable security alg
replicas: 1
interfaceType: "vhost"
interfaceConfigs:
#- name: ge-0/0/0
# ip: 181.1.1.1/30 # should match ipSecTunnelConfigs localAddress if configured
# gateway: 181.1.1.2 # gateway configuration
# ip6: 181:1:1::1/64 # optional
# ip6Gateway: 181:1:1::2 # optional
# routes: # this field is optional
# - "191.1.1.0/24"
# - "200.1.1.0/24"
# instance_parameters:
# name: "untrust"
# type: "vrf" # options include virtual-router or vrf
# vrfTarget: 10:10 # this option is valid only for vrf
#- name: ge-0/0/1
# ip: 1.21.1.1/30 # should match ipSecTunnelConfigs localAddress if configured
# gateway: 1.21.1.2 # gateway configuration
# ip6: 181:2:1::1/64 # optional
# ip6Gateway: 181:2:1::2 # optional
# routes: # this field is optional
# - "111.1.1.0/24"
# - "192.1.1.0/24"
# instance_parameters:
# name: "trust"
# type: "vrf" # options include virtual-router or vrf
# vrfTarget: 11:11 # this option is valid only for vrf
ipSecTunnelConfigs: # untrust
#Tunnel 1 config
#- interface: ge-0/0/0 ## section ike-phase1, proposal, policy, gateway
# gateway: 181.1.1.1
# localAddress: 171.1.1.1
# localIdentificationHostname: jcnr-csrx3.com #Optional
# remoteIdentificationHostname: jcnr-csrx1.com #Optional
# authenticationAlgorithm: sha-256
# encryptionAlgorithm: aes-256-cbc
# preSharedKey: "$9$zt3l3AuIRhev8FnNVsYoaApu0RcSyev8XO1NVYoDj.P5F9AyrKv8X"
# trafficSelector:
# - name: ts1
# localIP: 222.1.1.0/24 ## IP cannot be 0.0.0.0/0
# remoteIP: 111.1.1.0/24 ## IP cannot be 0.0.0.0/0
#Tunnel 2 config
#- interface: ge-0/0/0 ## section ike-phase1, proposal, policy, gateway
# gateway: 191.1.1.1
# localAddress: 171.1.1.1
# localIdentificationHostname: jcnr-csrx3.com #Optional
# remoteIdentificationHostname: jcnr-csrx1.com #Optional
# authenticationAlgorithm: sha-256
# encryptionAlgorithm: aes-256-cbc
# preSharedKey: "$9$zt3l3AuIRhev8FnNVsYoaApu0RcSyev8XO1NVYoDj.P5F9AyrKv8X"
# trafficSelector:
# - name: ts2
# localIP: 100.1.1.0/24 ## IP cannot be 0.0.0.0/0
# remoteIP: 200.1.1.0/24 ## IP cannot be 0.0.0.0/0
jcnr_config:
#- name: ge-0/0/0
# routes:
# - "121.1.1.0/24"
#csrx_flavor: specify the csrx deployment model. Corresponding values for csrx control and data
#must be provided based on the flavor mentioned below. Following are possible options:
# CSRX-2CPU-4G
# CSRX-4CPU-8G
# CSRX-6CPU-12G
# CSRX-8CPU-16G
# CSRX-16CPU-32G
# CSRX-20CPU-48G
csrx_flavor: CSRX-2CPU-4G
csrx_ctrl_cpu: "0x01"
csrx_data_cpu: "0x02"
telemetry:
enable: false
gnmi: true
service:
type: ClusterIP
labels: {}
annotations: {}
clusterIP: ""
# List of IP addresses at which the cSRX telemetry service is available
# Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
externalIPs: []
# Only use if service.type is "LoadBalancer"
loadBalancerIP: ""
# Ports to expose on each node
# Only used if service.type is "NodePort"
nodePort:
prometheus: 30073
gnmi: 30077
contrail_k8s_applier:
image: contrail-k8s-applier
tag: 25.2.0.92
pullPolicy: IfNotPresent
csrx_log_path: "/var/log/csrx/"
For a cSRX configuration example, see IPsec Security Services in the Juniper Cloud Native Router User Guide.