ON THIS PAGE
Extend TLS Analytics
SUMMARY This topic describes how to enable TLS certificates for analytics components in Juniper® Cloud-Native Contrail Networking (CN2) Release 23.2 and later in a Kubernetes-orchestrated environment.
Overview
Starting in Release 23.2, you can enable TLS certificates for analytics components in CN2. TLS is a security protocol used for certificate exchange, mutual authentication, and negotiating ciphers to secure the stream from potential tampering and eavesdropping.
Certificates are part of the deployment used to start CN2. In Kubernetes all
certificates are translated to secrets. By default, the certificate and secrets for
the Contrail control plane and vRouter are automatically generated in the Juniper
ContrailCertificateManager CRD.
Helm is used to install the TLS analytic components. When you install the components,
certificate manager automatically creates the certificates and secrets needed for
each analytic component. Once the certificate (secret) is created, each component
has the secret name defined in its own deployment.yaml file that
pulls the certificates when the pod comes up.
Enable TLS on Analytics Components
The following sections describe how to enable TLS on CN2 and third party analytics components.
Prerequisites
To use this feature, you must install the following:
-
A Kubernetes cluster
-
CN2 Release 23.2 or later
-
Helm 3.0 or later for Kubernetes, needed to install the analytic components. For more information, see the Helm website.
Enable TLS on CN2 Analytics Components
By default, TLS is automatically enabled on CN2 components during a Helm
installation. When you install analytic components with Helm, certificate
manager creates the certificates and secrets needed for each CN2 component. The
secret is then added to the component's deployment.yaml file as
shown in the following examples:
-
Collector: A collector is a component that gathers data from various sources and transforms it into a format that can be easily analyzed. Collectors can apply transformations to the data such as filtering or aggregation.
The following is an example of collector with TLS enabled:
volumeMounts: - name: tls mountPath: /etc/config/tls volumes: - name: tls secret: secretName: collector-tls-
Dashboard: The Dashboard component is a back-end service that serves the CN2 GUI.
The following is an example of Dashboard with TLS enabled:
volumeMounts: - name: tls mountPath: /etc/config/tls volumes: - name: tls secret: secretName: dashboard-tls -
Portal: The portal analytics component enables a high-level overview of traffic patterns aggregated across a single portal in a dashboard-style visualization. This data can be used to analyze portal traffic and application rates over time.
The following is an example of portal analytics with TLS enabled:
volumeMounts: - name: tls mountPath: /etc/config/tls volumes: - name: tls secret: secretName: portal-tls -
Introspect: Introspect is a diagnostic utility that allows you to browse the internal state of CN2 components.
The following is an example of Introspect with TLS enabled:
volumeMounts: - name: tls mountPath: /etc/config/tls volumes: - name: tls secret: secretName: introspect-tls
-
-
Multicluster Proxy: Multicluster is used to serve requests pertaining to multiple clusters and RBAC management.
The following is an example of Multicluster Proxy with TLS enabled:
volumeMounts: - name: tls mountPath: /etc/config/tls volumes: - name: tls secret: secretName: multiclusterproxy-tls -
Contrail config exporter: Config exporter is used to get metrics related to deployments, and the virtual machine interface.
The following is an example of Contrail config exporter with TLS enabled:
volumeMounts: - name: tls mountPath: /etc/config/tls volumes: - name: tls secret: secretName: contrailconfigexporter-tls
Enable TLS on Third Party Analytics Components
You can also enable TLS on third party analytics components. Certificate manager creates the certificate and secrets, but these components require additional configurations to enable TLS, as shown in the following examples:
deployment.yaml file.Ambassador
Ambassador serves as an ingress for all incoming API requests (Prometheus, Collector, Dashboard, Proxy) from the outside.
The following is an example of Ambassador with TLS enabled:
---
apiVersion: getambassador.io
kind: Host
metadata:
name: wildcard-host
spec:
hostname: "*"
acmeProvider:
authority: none
tlsSecret:
name: tls-cert
name: tls-amabassador
selector:
matchLabels:
hostname: wildcard-host
Fluentd
Fluentd collects logs, events, and flows running on each CN2 node. Fluentd is the logging agent that performs log collection, parsing, and distribution to other services such as OpenSearch.
The following is an example of Fluentd with TLS enabled:
<source>
@type forward
bind 0.0.0.0
port 24225
<transport tls>
ca_path /etc/tls/ca.crt
cert_path /etc/tls/tls.crt
private_key_path /etc/tls/tls.key
</transport>
InfluxDB
InfluxDB is a time series database built specifically for storing time series data. InfluxDB works with Grafana as a visualization tools for time series data. Enabling TLS encrypts the communication between clients and the InfluxD server.
The following is an example of InfluxDB with TLS enabled:
env:
- name: INFLUXD_TLS_CERT
value: /etc/ssl/tls/tls.crt
- name: INFLUXD_TLS_KEY
value: /etc/ssl/tls/tls.key
volumes:
- name: tls
secret:
secretName: influxdb-tls
mountPoints:
- name: tls
mountPath: /etc/ssl/tlsKube Prometheus Stack
Kube Prometheus Stack is a collection of Kubernetes manifests, Grafana dashboards, and Prometheus rules that provides easy to operate end-to-end Kubernetes cluster monitoring.
The following is an example of Kube Prometheus Stack with TLS enabled:
web:
tlsConfig:Kube
keySecret:
name: prometheus-tls
key: tls.key
cert:
secret:
name: prometheus-tls
key: tls.crt
OpenSearch and OpenSearch Dashboards
OpenSearch is the search and analytics engine in the AWS OpenSearch Stack that provides real time search and analytics for all types of data. OpenSearch Dashboards is the GUI that lets you visualize your OpenSearch data and navigate the OpenSearch Stack.
The following is an example of OpenStack with TLS enabled:
ssl:
transport:
pemcert_filepath: tls/tls.crt
pemkey_filepath: tls/tls.key
pemtrustedcas_filepath: tls/ca.crt
enforce_hostname_verification: false
The following is an example of OpenSearch dashboards with TLS enabled:
opensearch_dashboards.yaml
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true
server.ssl.enabled: true
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/tls/ca.crt"]
server.ssl.certificate: /usr/share/opensearch-dashboards/tls/tls.crt
server.ssl.key: /usr/share/opensearch-dashboards/tls/tls.key