Buoyant Enterprise for Linkerd

In this guide, we will walk you through the process of installing Linkerd BEL (Buoyant Enterprise for Linkerd) using the Buoyant Enterprise operator. Please follow these detailed steps:

Prerequisites

Before you begin, make sure you have the following prerequisites:

Access to a Kubernetes cluster
Helm installed on your local machine
Docker installed on your local machine
Credentials to access the BEL Azure Container Registry (ACR) provided on the Buoyant Enterprise for Linkerd Resources page
Access to a private internal registry to host the images for production
Buoyant Enterprise for Linkerd License provided by Buoyant
Linkerd Trust Root CA & Identity Certificates & Keys

Step 1: Pull and Republish BEL Images to Internal Repository

Before installing Linkerd BEL, you will need to pull the BEL images from the Buoyant Azure Container Registry (ACR) using the credentials provided on the Buoyant Enterprise for Linkerd Resources page. Once you have the images, tag and upload them to your internal private container repository.

Pull BEL Images

Use the following commands to pull the BEL images from the Buoyant ACR. Replace [CUSTOMER_NAME] and [CUSTOMER_PASSWORD] with the username and password provided by Buoyant.

# Create env variables to store your Buoyant ACR access username and password
export BUOYANT_REGISTRY_USER=[CUSTOMER_NAME]
export BUOYANT_REGISTRY_PASS=[CUSTOMER_PASSWORD]

# Log in to the Buoyant ACR
echo $BUOYANT_REGISTRY_PASS | docker login buoyant.azurecr.io \
 --username $BUOYANT_REGISTRY_USER \
 --password-stdin

# Pull the BEL images from Buoyant ACR
docker pull buoyant.azurecr.io/enterprise-linkerd/controller:enterprise-2.14.5-1
docker pull buoyant.azurecr.io/enterprise-linkerd/policy-controller:enterprise-2.14.5-1
docker pull buoyant.azurecr.io/enterprise-linkerd/proxy-init:enterprise-2.14.5-1
docker pull buoyant.azurecr.io/enterprise-linkerd/proxy:enterprise-2.14.5-1

Tag and Push Images

Next, tag the pulled images with the appropriate name and push them to your private container repository. Replace [YOUR_REGISTRY] with your private repository URL.

export YOUR_REGISTRY=[YOUR_REGISTRY]

# Tag the BEL images for your private repository
docker tag buoyant.azurecr.io/enterprise-linkerd/controller:enterprise-2.14.5-1 $YOUR_REGISTRY/enterprise-linkerd/controller:enterprise-2.14.5-1
docker tag buoyant.azurecr.io/enterprise-linkerd/policy-controller:enterprise-2.14.5-1 $YOUR_REGISTRY/enterprise-linkerd/policy-controller:enterprise-2.14.5-1
docker tag buoyant.azurecr.io/enterprise-linkerd/proxy-init:enterprise-2.14.5-1 $YOUR_REGISTRY/enterprise-linkerd/proxy-init:enterprise-2.14.5-1
docker tag buoyant.azurecr.io/enterprise-linkerd/proxy:enterprise-2.14.5-1 $YOUR_REGISTRY/enterprise-linkerd/proxy:enterprise-2.14.5-1

# Push the tagged images to your private repository
docker push $YOUR_REGISTRY/enterprise-linkerd/controller:enterprise-2.14.5-1
docker push $YOUR_REGISTRY/enterprise-linkerd/policy-controller:enterprise-2.14.5-1
docker push $YOUR_REGISTRY/enterprise-linkerd/proxy-init:enterprise-2.14.5-1
docker push $YOUR_REGISTRY/enterprise-linkerd/proxy:enterprise-2.14.5-1

Step 2: Install Managed Linkerd BEL operator components

Create the `linkerd-buoyant` namespace and a docker-registry secret for the Buoyant ACR registry in the namespace

# create the linkerd-buoyant namespace where the operator will live
kubectl create ns linkerd-buoyant

# create a docker-registry secret for the Buoyant ACR registry
kubectl create secret docker-registry buoyant-registry-secret \
  --namespace linkerd-buoyant \
  --docker-server=buoyant.azurecr.io \
  --docker-username=$BUOYANT_REGISTRY_USER \
  --docker-password=$BUOYANT_REGISTRY_PASS

Setup the `linkerd-buoyant` Helm chart

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update

Install the Managed Linkerd BEL operator with Helm

helm install linkerd-buoyant \
  --namespace linkerd-buoyant \
  --set controlPlaneOperator.helmDockerConfigJSONSecret=buoyant-registry-secret \
  --set buoyantCloudEnabled=false \
  --set-file license=./license \
linkerd-buoyant/linkerd-buoyant

Run post-install operator health checks

# Download the linkerd-buoyant CLI client
curl -sL https://buoyant.cloud/install | sh

# Run healthcheck
linkerd-buoyant check

Step 3: Create the Identity Secret

Use the Linkerd Trust Root CA & Identity Certificates & Keys to create a Kubernetes Secret that will be used by Helm at runtime. You will need ca.crt, issuer.crt, and issuer.key files.

cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
data:
  ca.crt: $(cat ca.crt | base64 --wrap=0)
  tls.crt: $(cat issuer.crt | base64 --wrap=0)
  tls.key: $(cat issuer.key | base64 --wrap=0)
kind: Secret
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
type: kubernetes.io/tls
EOF

kubectl apply -f linkerd-identity-secret.yaml

Step 4: Create a private-registry secret for the operator

The linkerd-injector workload needs access to the private repo where you previously pushed the enterprise images in order to properly inject the linkerd-proxy into the cluster workloads. To ensure registry access, create a secret for your private registry repo in the linkerd-buoyant namespace:

kubectl create secret docker-registry private-registry-secret \
  --namespace linkerd-buoyant \
  --docker-server=$YOUR_REGISTRY \
  --docker-username=$YOUR_REGISTRY_USER \
  --docker-password=$YOUR_REGISTRY_PASS

Step 5: Create a Linkerd BEL operator CRD

Create a CRD config that will be used by the Linkerd BEL operator to install and manage the linkerd control plane. You will need ca.crt.

cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
  name: linkerd-control-plane-operator
spec:
  components:
    linkerd:
      version: enterprise-2.14.5-1
      controlPlaneConfig:
        controllerImage: $YOUR_REGISTRY/enterprise-linkerd/controller
        policyController:
          image:
            name: $YOUR_REGISTRY/enterprise-linkerd/policy-controller
        proxyInit:
          image:
            name: $YOUR_REGISTRY/enterprise-linkerd/proxy-init
        proxy:
          image:
            name: $YOUR_REGISTRY/enterprise-linkerd/proxy
        imagePullSecrets:
        - name: private-registry-secret
        identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/          /')
        identity:
          issuer:
            scheme: kubernetes.io/tls
EOF

Step 6: Install Linkerd

Apply the ControlPlane CRD config to have the Linkerd BEL operator create the linkerd-control plane:

kubectl apply -f linkerd-control-plane-config.yaml

Step 7: Verify Installation

After the installation is complete, you can verify the Linkerd installation by downloading the Linkerd BEL CLI client and running the linkerd check command:

# download Linkerd BEL CLI client
curl https://enterprise.buoyant.io/install | sh

# run deployment healthcheck
linkerd check

This command will check the health and configuration of your Linkerd installation.

Congratulations! You have successfully installed Linkerd BEL using the Buoyant Enterprise operator. You can now use Linkerd to manage and secure your Kubernetes applications. To make adjustments to your Linkerd deployment simply edit and re-apply the previously-created linkerd-control-plane-config.yaml CRD config.

Happy Meshing!