Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Extend TLS Analytics

SUMMARY This topic describes how to enable TLS certificates for analytics components in Juniper® Cloud-Native Contrail Networking (CN2) Release 23.2 and later in a Kubernetes-orchestrated environment.


Starting in Release 23.2, you can enable TLS certificates for analytics components in CN2. TLS is a security protocol used for certificate exchange, mutual authentication, and negotiating ciphers to secure the stream from potential tampering and eavesdropping.

Certificates are part of the deployment used to start CN2. In Kubernetes all certificates are translated to secrets. By default, the certificate and secrets for the Contrail control plane and vRouter are automatically generated in the Juniper ContrailCertificateManager CRD.

Helm is used to install the TLS analytic components. When you install the components, certificate manager automatically creates the certificates and secrets needed for each analytic component. Once the certificate (secret) is created, each component has the secret name defined in its own deployment.yaml file that pulls the certificates when the pod comes up.

Enable TLS on Analytics Components

The following sections describe how to enable TLS on CN2 and third party analytics components.


To use this feature, you must install the following:

  • A Kubernetes cluster

  • CN2 Release 23.2 or later

  • Helm 3.0 or later for Kubernetes, needed to install the analytic components. For more information, see the Helm website.

Enable TLS on CN2 Analytics Components

By default, TLS is automatically enabled on CN2 components during a Helm installation. When you install analytic components with Helm, certificate manager creates the certificates and secrets needed for each CN2 component. The secret is then added to the component's deployment.yaml file as shown in the following examples:

  • Collector: A collector is a component that gathers data from various sources and transforms it into a format that can be easily analyzed. Collectors can apply transformations to the data such as filtering or aggregation.

    The following is an example of collector with TLS enabled:

    • Dashboard: The Dashboard component is a back-end service that serves the CN2 GUI.

      The following is an example of Dashboard with TLS enabled:

    • Portal: The portal analytics component enables a high-level overview of traffic patterns aggregated across a single portal in a dashboard-style visualization. This data can be used to analyze portal traffic and application rates over time.

      The following is an example of portal analytics with TLS enabled:

    • Introspect: Introspect is a diagnostic utility that allows you to browse the internal state of CN2 components.

      The following is an example of Introspect with TLS enabled:

  • Multicluster Proxy: Multicluster is used to serve requests pertaining to multiple clusters and RBAC management.

    The following is an example of Multicluster Proxy with TLS enabled:

  • Contrail config exporter: Config exporter is used to get metrics related to deployments, and the virtual machine interface.

    The following is an example of Contrail config exporter with TLS enabled:

Enable TLS on Third Party Analytics Components

You can also enable TLS on third party analytics components. Certificate manager creates the certificate and secrets, but these components require additional configurations to enable TLS, as shown in the following examples:

Note: If you want to disable TLS, remove the TLS section for the component in its deployment.yaml file.


Ambassador serves as an ingress for all incoming API requests (Prometheus, Collector, Dashboard, Proxy) from the outside.

The following is an example of Ambassador with TLS enabled:


Fluentd collects logs, events, and flows running on each CN2 node. Fluentd is the logging agent that performs log collection, parsing, and distribution to other services such as OpenSearch.

The following is an example of Fluentd with TLS enabled:


InfluxDB is a time series database built specifically for storing time series data. InfluxDB works with Grafana as a visualization tools for time series data. Enabling TLS encrypts the communication between clients and the InfluxD server.

The following is an example of InfluxDB with TLS enabled:

Kube Prometheus Stack

Kube Prometheus Stack is a collection of Kubernetes manifests, Grafana dashboards, and Prometheus rules that provides easy to operate end-to-end Kubernetes cluster monitoring.

The following is an example of Kube Prometheus Stack with TLS enabled:

OpenSearch and OpenSearch Dashboards

OpenSearch is the search and analytics engine in the AWS OpenSearch Stack that provides real time search and analytics for all types of data. OpenSearch Dashboards is the GUI that lets you visualize your OpenSearch data and navigate the OpenSearch Stack.

The following is an example of OpenStack with TLS enabled:

The following is an example of OpenSearch dashboards with TLS enabled: