Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Deploying Service Chain (cSRX) with JCNR

SUMMARY Read this section to learn how to customize and deploy a security services instance (cSRX) with the Cloud-Native Router.

You can integrate the Juniper Cloud-Native Router (JCNR) with Juniper's containerized SRX (cSRX) platform to provide security services such as IPsec. Using host-based service chaining, the cloud-native router is chained with a security service instance (cSRX) in the same Kubernetes cluster. The cSRX instance runs as a pod service in L3 mode. The cSRX instance is customized and deployed via a Helm chart.

You have the option of deploying Juniper cSRX when you're installing JCNR or after you've installed JCNR. See JCNR Software Download Packages for a description of the available packages.

Install cSRX on an Existing JCNR Installation

Follow this procedure to install a cSRX instance on an existing JCNR installation. Ensure all JCNR components are up and running before you start this procedure.

  1. Download and expand the software package for installing Juniper cSRX on an existing JCNR installation. See JCNR Software Download Packages for a description of the software packages available.
  2. Change to the junos_csrx_<release>/helmchart directory and expand the Helm chart.
    The Helm chart is located in the junos-csrx directory.
  3. The cSRX container images are required for deployment. Choose one of the following options:

    • Configure your cluster to deploy images from the Juniper Networks enterprise-hub.juniper.net repository. See Configure Repository Credentials for example instructions on how to configure repository credentials in Helm charts.

    • Configure your cluster to deploy images from the image tarball included in the downloaded cSRX software package. See Deploy Prepackaged Images for example instructions on how to import images to the local containerd runtime.

  4. Follow the steps in Apply the cSRX License and Configure cSRX to apply your cSRX license and configure the cSRX Helm chart.
  5. Install cSRX.
    Navigate to the junos_csrx_<release>/helmchart/junos-csrx directory and issue the following command to install the cSRX instance.

Install cSRX During JCNR Installation

Follow the steps in the respective JCNR installation sections to install JCNR. One of the steps will refer you to Apply the cSRX License and Configure cSRX.

Apply the cSRX License and Configure cSRX

Follow this procedure to apply your cSRX license and configure Juniper cSRX.

The following steps assume you're in the Juniper_Cloud_Native_Router_CSRX_<release> directory if installing cSRX and JCNR together, or in the junos_csrx_<release> directory if installing cSRX on an existing JCNR installation.

  1. Replace /etc/kubernetes/kubelet.conf with the cluster kubeconfig on all nodes where you want to install the JCNR and cSRX combination. This applies to both installing cSRX during JCNR installation and installing cSRX on an existing JCNR installation. If you don't perform this step, the installation may fail.
    For example (assuming your kubeconfig is at the default ~/.kube/config location):where <worker-node-ip> is the IP address of a node where you want to install both JCNR and cSRX. Repeat for all nodes where you want to install both JCNR and cSRX.
  2. Apply your Juniper cSRX license.
    1. If the secrets/csrx-secrets.yaml doesn't exist in your software package, create it with the contents below:
    2. Encode your license in base64.

      Copy your Juniper cSRX license file onto your host server and issue the command:

      The output of this command is your base64-encoded license.
    3. Replace <add your license in base64 format> with your base64-encoded license.
      Note:

      You must obtain your license file from your account team and install it in the secrets/csrx-secrets.yaml file as instructed above. The csrx-init container performs a license check and proceeds only if the required secret service-chain-instance is found.

    4. Apply the secrets/csrx-secrets.yaml to the Kubernetes cluster.
  3. Configure the cSRX Helm chart.

    • If you're installing cSRX at the same time you're installing JCNR, then you're configuring the junos-csrx section of the combination Helm chart in Juniper_Cloud_Native_Router_CSRX_<release>/helmchart/jcnr_csrx/values.yaml.

    • If you're installing cSRX on an existing JCNR installation, then you're configuring the csrx section of the standalone Helm chart in junos_csrx_<release>/helmchart/junos-csrx/values.yaml.

    Refer to the cSRX parameter descriptions in Customize cSRX Helm Chart.

Customize cSRX Helm Chart

The cSRX service chaining instance is deployed via a Helm chart, either a standalone Helm chart or a combined Helm chart with JCNR. The deployment consists of two essential components:

  • csrx-init: This is an init container that prepares the configuration for the main cSRX application. It extracts the necessary information from the values.yaml file, processes it, and generates the configuration data for cSRX. This ensures that the main cSRX application starts with a valid, up-to-date configuration.

  • csrx: The csrx is the main application container and the core component of the cSRX deployment. It relies on the configuration provided by the csrx-init container to function correctly.

You can customize the cSRX deployment by specifying a range of configuration parameters in the values.yaml file. Key configuration options include:

  • interfaceType: This is the type of interface on the cSRX to connect to JCNR. Must be set to vhost only.

  • interfaceConfigs: This is an array defining the interface IP address, gateway address and optionally routes. The interface IP must match the localAddress element in the ipSecTunnelConfigs array. The routes should contain prefixes to steer decrypted traffic to JCNR and reachability route for IPSec gateway.

  • ipSecTunnelConfigs: This is an array defining the IPsec configuration details such as ike-phase1, proposal, policy and gateway configuration. Traffic selector should contain traffic that is expected to be encrypted.

  • jcnr_config: This is an array defining the routes to be configured in JCNR to steer traffic from JCNR to cSRX and to steer IPsec traffic from the remote IPsec gateway to the cSRX to apply the security service chain.

Here is the default values.yaml for standalone cSRX deployment: