Buoyant Enterprise for Linkerd

Buoyant Enterprise for Linkerd

Buoyant Enterprise for Linkerd (FIPS mode) with Buoyant Cloud

In this guide, we will walk you through the process of installing Linkerd BEL (Buoyant Enterprise for Linkerd) with FIPS (Federal Information Processing Standards) mode enabled using the Buoyant Enterprise Cloud operator. Please follow these detailed steps:

Before you begin, make sure you have the following prerequisites:

  • Access to a Kubernetes cluster
  • Helm installed on your local machine
  • Docker installed on your local machine
  • Credentials to access the BEL Azure Container Registry (ACR) provided on the Buoyant Enterprise for Linkerd Resources page
  • Access to a private internal registry to host the images for production
  • Access to Buoyant Cloud
  • Linkerd Trust Root CA & Identity Certificates & Keys

Before installing Linkerd BEL, you will need to pull the BEL images from the Buoyant Azure Container Registry (ACR) using the credentials provided on the Buoyant Enterprise for Linkerd Resources page. Once you have the images, tag and upload them to your internal private container repository.

Pull BEL Images

Use the following commands to pull the BEL images from the Buoyant ACR. Replace [CUSTOMER_NAME] and [CUSTOMER_PASSWORD] with the username and password provided by Buoyant.

# Create env variables to store your Buoyant ACR access username and password

# Log in to the Buoyant ACR
echo $BUOYANT_REGISTRY_PASS | docker login buoyant.azurecr.io \

# Pull the BEL images from Buoyant ACR
docker pull buoyant.azurecr.io/enterprise-linkerd/controller:enterprise-2.14.5-1-fips
docker pull buoyant.azurecr.io/enterprise-linkerd/policy-controller:enterprise-2.14.5-1-fips
docker pull buoyant.azurecr.io/enterprise-linkerd/proxy-init:enterprise-2.14.5-1-fips
docker pull buoyant.azurecr.io/enterprise-linkerd/proxy:enterprise-2.14.5-1-fips

Tag and Push Images

Next, tag the pulled images with the appropriate name and push them to your private container repository. Replace [YOUR_REGISTRY] with your private repository URL.


# Tag the BEL images for your private repository
docker tag buoyant.azurecr.io/enterprise-linkerd/controller:enterprise-2.14.5-1-fips $YOUR_REGISTRY/enterprise-linkerd/controller:enterprise-2.14.5-1-fips
docker tag buoyant.azurecr.io/enterprise-linkerd/policy-controller:enterprise-2.14.5-1-fips $YOUR_REGISTRY/enterprise-linkerd/policy-controller:enterprise-2.14.5-1-fips
docker tag buoyant.azurecr.io/enterprise-linkerd/proxy-init:enterprise-2.14.5-1-fips $YOUR_REGISTRY/enterprise-linkerd/proxy-init:enterprise-2.14.5-1-fips
docker tag buoyant.azurecr.io/enterprise-linkerd/proxy:enterprise-2.14.5-1-fips $YOUR_REGISTRY/enterprise-linkerd/proxy:enterprise-2.14.5-1-fips

# Push the tagged images to your private repository
docker push $YOUR_REGISTRY/enterprise-linkerd/controller:enterprise-2.14.5-1-fips
docker push $YOUR_REGISTRY/enterprise-linkerd/policy-controller:enterprise-2.14.5-1-fips
docker push $YOUR_REGISTRY/enterprise-linkerd/proxy-init:enterprise-2.14.5-1-fips
docker push $YOUR_REGISTRY/enterprise-linkerd/proxy:enterprise-2.14.5-1-fips

# create the linkerd-buoyant namespace where the operator will live
kubectl create ns linkerd-buoyant

# create a docker-registry secret for the Buoyant ACR registry
kubectl create secret docker-registry buoyant-registry-secret \
  --namespace linkerd-buoyant \
  --docker-server=buoyant.azurecr.io \
  --docker-username=$BUOYANT_REGISTRY_USER \
helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update

Navigate to https://buoyant.cloud/settings?helm=1 and paste the values into a values.yaml file.

helm install linkerd-buoyant \
  --namespace linkerd-buoyant \
  --set controlPlaneOperator.helmDockerConfigJSONSecret=buoyant-registry-secret \
  --set metadata.agentName=[your_cluster_name] \
  --values values.yaml \

Run post-install operator health checks Link

# Download the linkerd-buoyant CLI client
curl -sL https://buoyant.cloud/install | sh

# Run healthcheck
linkerd-buoyant check

Use the Linkerd Trust Root CA & Identity Certificates & Keys to create a Kubernetes Secret that will be used by Helm at runtime. You will need ca.crt, issuer.crt, and issuer.key files.

cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
  ca.crt: $(cat ca.crt | base64 --wrap=0)
  tls.crt: $(cat issuer.crt | base64 --wrap=0)
  tls.key: $(cat issuer.key | base64 --wrap=0)
kind: Secret
  name: linkerd-identity-issuer
  namespace: linkerd
type: kubernetes.io/tls

kubectl apply -f linkerd-identity-secret.yaml

The linkerd-injector workload needs access to the private repo where you previously pushed the enterprise images in order to properly inject the linkerd-proxy into the cluster workloads. To ensure registry access, create a secret for your private registry repo in the linkerd-buoyant namespace:

kubectl create secret docker-registry private-registry-secret \
  --namespace linkerd-buoyant \
  --docker-server=$YOUR_REGISTRY \
  --docker-username=$YOUR_REGISTRY_USER \

Create a CRD config that will be used by the Linkerd BEL operator to install and manage the linkerd control plane. You will need ca.crt.

cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
  name: linkerd-control-plane-operator
      version: enterprise-2.14.5-1
        controllerImage: $YOUR_REGISTRY/enterprise-linkerd/controller
        controllerImageVersion: enterprise-2.14.5-1-fips
            name: $YOUR_REGISTRY/enterprise-linkerd/policy-controller
            version: enterprise-2.14.5-1-fips
            name: $YOUR_REGISTRY/enterprise-linkerd/proxy-init
            version: enterprise-2.14.5-1-fips
            name: $YOUR_REGISTRY/enterprise-linkerd/proxy
            version: enterprise-2.14.5-1-fips
        - name: private-registry-secret
        identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/          /')
            scheme: kubernetes.io/tls

Apply the ControlPlane CRD config to have the Linkerd BEL operator create the linkerd-control plane:

kubectl apply -f linkerd-control-plane-config.yaml

After the installation is complete, you can verify the Linkerd installation by downloading the Linkerd BEL CLI client and running the linkerd check command:

# download Linkerd BEL CLI client
curl https://enterprise.buoyant.io/install | sh

# run deployment healthcheck
linkerd check

This command will check the health and configuration of your Linkerd installation.

Congratulations! You have successfully installed Linkerd BEL using the Buoyant Enterprise Cloud operator. You can now use Linkerd to manage and secure your Kubernetes applications. To make adjustments to your Linkerd deployment simply edit and re-apply the previously-created linkerd-control-plane-config.yaml CRD config.

Happy Meshing!