Installing BEL on any Kubernetes cluster is easy. Before you begin, make sure you have the following:

  1. A functioning Kubernetes cluster
  2. Helm installed on your local machine
This guide assumes you don’t already have Linkerd running on your cluster. If you’re upgrading from an existing Linkerd installation, see our upgrade guide instead.
If you are on the Enterprise Plan for BEL, see the Enterprise Plan installation guide.

BEL requires a valid license key to run, which is freely available through the Buoyant portal. Following the instructions there, you should end up with an environment variable like this:


The commands below require that you have this environment variable set.

The first step is to download and install the BEL CLI:

curl --proto '=https' --tlsv1.2 -sSfL | sh

Follow the instructions to add the linkerd CLI to your system path.

Verify that the CLI is installed and running the expected version with:

linkerd version --client

You should see:

Client version: enterprise-2.15.1

Finally, validate that your cluster is ready for installation:

linkerd check --pre

The next step is to install the BEL’s Linkerd lifecycle automation components, which will automate installation and upgrades of BEL.

Start by adding/updating the linkerd-buoyant repo:

helm repo add linkerd-buoyant
helm repo update

Now, we can install the BEL lifecycle automation operator itself:

helm install linkerd-buoyant \
  --create-namespace \
  --namespace linkerd-buoyant \
  --set buoyantCloudEnabled=false \
  --set license=$BUOYANT_LICENSE \

Most of Linkerd’s TLS infrastructure is fully automated, but there are some things we need to generate: a trust anchor certificate and key pair, and an issuer certificate and key pair.

To do this, follow the Linkerd Trust Root CA & Identity Certificates & Keys docs. You will need the resulting ca.crt, issuer.crt, and issuer.key files.

cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
  ca.crt: $(cat ca.crt | base64 | tr -d '\n')
  tls.crt: $(cat issuer.crt | base64 | tr -d '\n')
  tls.key: $(cat issuer.key | base64 | tr -d '\n')
kind: Secret
  name: linkerd-identity-issuer
  namespace: linkerd

kubectl apply -f linkerd-identity-secret.yaml

If you plan to use this cluster outside of demo/testing purposes, keep these files somewhere safe.

Next, we need to configure the BEL lifecycle automation components to be able to install Linkerd using those TLS credentials we just created.

To do this, create a CRD config that will be used by the Linkerd BEL operator to install and manage the Linkerd control plane. You will need the ca.crt file from above.

cat <<EOF > linkerd-control-plane-config.yaml
kind: ControlPlane
  name: linkerd-control-plane
      version: enterprise-2.15.1
      license: $BUOYANT_LICENSE
        identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/          /')

Finally, we’re ready to install BEL! Apply the config we created in the previous step to activate the BEL lifecycle operator and install the Linkerd control plane:

kubectl apply -f linkerd-control-plane-config.yaml

After the installation is complete, you can verify the health and configuration of Linkerd by running the linkerd check command:

linkerd check

You have successfully installed BEL onto your cluster, in such a way that (thanks to the lifecycle automation operator) future upgrades are trivial and can be managed in a purely declarative, GitOps workflow.

Happy meshing!