Buoyant Enterprise for Linkerd
Unmanaged Buoyant Enterprise for Linkerd Helm Install (UNSUPPORTED)
In this guide, we will walk you through the process of installing Linkerd BEL (Buoyant Enterprise for Linkerd) in an unmanaged configuration using Helm. Please follow these detailed steps:
Prerequisites
Before you begin, make sure you have the following prerequisites:
- Access to a Kubernetes cluster
- Helm installed on your local machine
- Docker installed on your local machine
- Credentials to access the BEL Azure Container Registry (ACR) provided on the Buoyant Enterprise for Linkerd Resources page
- Access to a private internal registry to host the images for production
- Linkerd Trust Root CA & Identity Certificates & Keys
Step 1: Pull and Republish BEL Images to Internal Repository
Before installing Linkerd BEL, you will need to pull the BEL images from the Buoyant Azure Container Registry (ACR) using the credentials provided on the Buoyant Enterprise for Linkerd Resources page. Once you have the images, tag and upload them to your internal private container repository.
Pull BEL Images
Use the following commands to pull the BEL images from the Buoyant ACR. Replace [CUSTOMER_NAME] and [CUSTOMER_PASSWORD] with the username and password provided by Buoyant.
# Create env variables to store your Buoyant ACR access username and password
export BUOYANT_REGISTRY_USER=[CUSTOMER_NAME]
export BUOYANT_REGISTRY_PASS=[CUSTOMER_PASSWORD]
# Log in to the Buoyant ACR
echo $BUOYANT_REGISTRY_PASS | docker login buoyant.azurecr.io \
--username $BUOYANT_REGISTRY_USER \
--password-stdin
# Pull the BEL images from Buoyant ACR
docker pull buoyant.azurecr.io/enterprise-linkerd/controller:enterprise-2.14.5-1
docker pull buoyant.azurecr.io/enterprise-linkerd/policy-controller:enterprise-2.14.5-1
docker pull buoyant.azurecr.io/enterprise-linkerd/proxy-init:enterprise-2.14.5-1
docker pull buoyant.azurecr.io/enterprise-linkerd/proxy:enterprise-2.14.5-1
Tag and Push Images
Next, tag the pulled images with the appropriate name and push them to your private container repository. Replace [YOUR_REGISTRY] with your private repository URL.
export YOUR_REGISTRY=[YOUR_REGISTRY]
# Tag the BEL images for your private repository
docker tag buoyant.azurecr.io/enterprise-linkerd/controller:enterprise-2.14.5-1 $YOUR_REGISTRY/enterprise-linkerd/controller:enterprise-2.14.5-1
docker tag buoyant.azurecr.io/enterprise-linkerd/policy-controller:enterprise-2.14.5-1 $YOUR_REGISTRY/enterprise-linkerd/policy-controller:enterprise-2.14.5-1
docker tag buoyant.azurecr.io/enterprise-linkerd/proxy-init:enterprise-2.14.5-1 $YOUR_REGISTRY/enterprise-linkerd/proxy-init:enterprise-2.14.5-1
docker tag buoyant.azurecr.io/enterprise-linkerd/proxy:enterprise-2.14.5-1 $YOUR_REGISTRY/enterprise-linkerd/proxy:enterprise-2.14.5-1
# Push the tagged images to your private repository
docker push $YOUR_REGISTRY/enterprise-linkerd/controller:enterprise-2.14.5-1
docker push $YOUR_REGISTRY/enterprise-linkerd/policy-controller:enterprise-2.14.5-1
docker push $YOUR_REGISTRY/enterprise-linkerd/proxy-init:enterprise-2.14.5-1
docker push $YOUR_REGISTRY/enterprise-linkerd/proxy:enterprise-2.14.5-1
Step 2: Create the Identity Secret
Use the Linkerd Trust Root CA & Identity Certificates & Keys to create a Kubernetes Secret that will be used by Helm at runtime. You will need ca.crt, issuer.crt, and issuer.key files.
cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
data:
ca.crt: $(cat ca.crt | base64 --wrap=0)
tls.crt: $(cat issuer.crt | base64 --wrap=0)
tls.key: $(cat issuer.key | base64 --wrap=0)
kind: Secret
metadata:
name: linkerd-identity-issuer
namespace: linkerd
type: kubernetes.io/tls
EOF
kubectl apply -f linkerd-identity-secret.yaml
Step 3: Create a Linkerd BEL values override file
Make sure to replace the identityTrustAnchorsPEM value with your actual CA cert value.
linkerd-control-plane:
linkerdVersion: enterprise-2.14.5-1
controllerImage: $YOUR_REGISTRY/enterprise-linkerd/controller
policyController:
image:
name: $YOUR_REGISTRY/enterprise-linkerd/policy-controller
version: enterprise-2.14.5-1
proxyInit:
image:
name: $YOUR_REGISTRY/enterprise-linkerd/proxy-init
version: enterprise-2.14.5-1
proxy:
image:
name: $YOUR_REGISTRY/enterprise-linkerd/proxy
version: enterprise-2.14.5-1
identityTrustAnchorsPEM: |
-----BEGIN CERTIFICATE-----
MIIBjDCCATOgAwIBAgIQZvMyZ8zFWOxTUb1aNf3TQzAKBggqhkjOPQQDAjAlMSMw
IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yMzA2MTQyMjAx
MTBaFw0zMzA2MTEyMjAxMTBaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1rGzFtOYl+7Bdf9z
U2dtYk2RA5eJXVdvLQkdFN38x23agHHm3KTjzKEFJGYSzsETXCG/S0HEQfLlz9iD
tk6dKqNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
VR0OBBYEFIvuJBtRI9ijy2AX23asdYErFqOYMAoGCCqGSM49BAMCA0cAMEQCIFbt
k3L0LxhmjU+aNuJ2aiRRY3ltz/6ATJTwrppxQ0pwAiAcAyYDrk3uxYkrjdlNTaiu
z6Vy7O0RL/eaGTTVrG0c1Q==
-----END CERTIFICATE-----
identity:
issuer:
scheme: kubernetes.io/tls
Step 4: Install Linkerd BEL using Helm
Now, you can install Linkerd BEL using Helm.
# Install Linkerd BEL CRDs
helm install linkerd-crds \
--namespace linkerd \
oci://buoyant.azurecr.io/helm/linkerd-enterprise-crds
# Install Linkerd BEL control plane
helm install linkerd-control-plane \
--namespace linkerd \
--set 'linkerd-control-plane.imagePullSecrets[0].name=[YOUR_REGISTRY_SECRET]' \
--values linkerd-enterprise-values.yaml \
oci://buoyant.azurecr.io/helm/linkerd-enterprise-control-plane
Step 5: Verify Installation
After the installation is complete, you can verify the Linkerd installation by downloading the Linkerd BEL CLI client and running the linkerd check command:
# download Linkerd BEL CLI client
curl https://enterprise.buoyant.io/install | sh
# run deployment healthcheck
linkerd check
This command will check the health and configuration of your Linkerd installation.
Congratulations! You have successfully installed Buoyant Enterprise for Linkerd. You can now use Linkerd to manage and secure your Kubernetes applications.