Enterprise Plan installation

In this guide, we’ll walk you through how to install BEL when you are on an Enterprise Plan. This installation includes:

  • BEL installed with the latest hotpatch release.
  • A highly-available control plane that is deployed as multiple replicas, with node anti-affinity constraints.
  • Our Lifecycle automation operator to automate control plane and data plane upgrades.
  • Explicit choices about the longevity of TLS credentials.
  • Optional FIPS-140-2 compliance.
  • Optional installation of Buoyant Cloud.

Before you begin, make sure you have the following:

  • An Enterprise plan of BEL
  • A functioning Kubernetes cluster
  • Helm installed on your local machine

Step 0: Get your license key

BEL requires a valid license key to run, which is available through the Buoyant portal. Following the instructions there, you should end up with environment variables like this:

export API_CLIENT_ID=[ID]
export API_CLIENT_SECRET=[SECRET]
export BUOYANT_LICENSE=[LICENSE]

Note: If you are installing BEL without Buoyant Cloud, then you will only need the BUOYANT_LICENSE environment variable.

Step 1: Getting the CLI tool

The first step is to download and install the BEL CLI:

curl --proto '=https' --tlsv1.2 -sSfL https://enterprise.buoyant.io/install-hotpatch | sh

Follow the instructions to add the linkerd CLI to your system path.

Verify that the CLI is installed and running the expected version with:

linkerd version --client

You should see:

Client version: enterprise-2.16.1-0

Finally, validate that your cluster is ready for installation:

linkerd check --pre

Step 2: Install the BEL lifecycle automation operator

The next step is to install the BEL’s lifecycle automation components, which will automate installation and upgrades of BEL.

Start by adding/updating the linkerd-buoyant repo:

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update

Now, we can install the BEL lifecycle automation operator itself:

helm install linkerd-buoyant \
  --create-namespace \
  --namespace linkerd-buoyant \
  --set buoyantCloudEnabled=false \
  --set license=$BUOYANT_LICENSE \
  linkerd-buoyant/linkerd-buoyant
helm install linkerd-buoyant \
  --create-namespace \
  --namespace linkerd-buoyant \
  --set metadata.agentName=[your_cluster_name] \
  --set api.clientID=$API_CLIENT_ID \
  --set api.clientSecret=$API_CLIENT_SECRET \
  linkerd-buoyant/linkerd-buoyant

Step 3: Create the TLS infrastructure

Most of Linkerd’s TLS infrastructure is fully automated, but there are some things we need to generate: a trust anchor certificate and key pair, and an issuer certificate and key pair.

To do this, follow the Linkerd Trust Root CA & Identity Certificates & Keys docs. You will need the resulting ca.crt, issuer.crt, and issuer.key files.

cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
data:
  ca.crt: $(cat ca.crt | base64 | tr -d '\n')
  tls.crt: $(cat issuer.crt | base64 | tr -d '\n')
  tls.key: $(cat issuer.key | base64 | tr -d '\n')
kind: Secret
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
type: kubernetes.io/tls
EOF

kubectl apply -f linkerd-identity-secret.yaml

If you plan to use this cluster outside of demo/testing purposes, keep these files somewhere safe.

Step 4: Configure the lifecycle operator with these TLS credentials

Next, we need to configure the BEL lifecycle automation components to be able to install Linkerd using those TLS credentials we just created.

To do this, create a CRD config that will be used by the Linkerd BEL operator to install and manage the Linkerd control plane. You will need the ca.crt file from above.

cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
  name: linkerd-control-plane
spec:
  components:
    linkerd:
      version: enterprise-2.16.1-0
      controlPlaneConfig:
        license: $BUOYANT_LICENSE
        identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/          /')
        identity:
          issuer:
            scheme: kubernetes.io/tls

        # HA config

$(
  tmp=$(mktemp -d)
  helm pull linkerd-buoyant/linkerd-enterprise-control-plane --untar --untardir $tmp
  cat "$tmp/linkerd-enterprise-control-plane/values-ha.yaml" |
    tail -n +2 |
    sed 's/^/      /'
)
EOF
cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
  name: linkerd-control-plane
spec:
  components:
    linkerd:
      version: enterprise-2.16.1-0-fips
      controlPlaneConfig:
        license: $BUOYANT_LICENSE
        identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/          /')
        identity:
          issuer:
            scheme: kubernetes.io/tls

        # HA config

$(
  tmp=$(mktemp -d)
  helm pull linkerd-buoyant/linkerd-enterprise-control-plane --untar --untardir $tmp
  cat "$tmp/linkerd-enterprise-control-plane/values-ha.yaml" |
    tail -n +2 |
    sed 's/^/      /'
)
EOF
If you are on GKE 1.29+, you need to set a custom clusterNetworks value. Learn more
spec:
  components:
    linkerd:
      controlPlaneConfig:
        clusterNetworks: "34.118.224.0/20,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"

For more information see the GKE docs.

Step 5: Install BEL

Finally, we’re ready to install BEL! Apply the config we created in the previous step to activate the BEL lifecycle operator and install the Linkerd control plane:

kubectl apply -f linkerd-control-plane-config.yaml

Step 6: Verify your installation

After the installation is complete, you can verify the health and configuration of Linkerd by running the linkerd check command:

linkerd check

That’s it!

You have successfully installed BEL onto your cluster, in such a way that (thanks to the lifecycle automation operator) future upgrades are trivial and can be managed in a purely declarative, GitOps workflow.

You can also use BEL’s lifecycle automation to manage the data plane on your cluster, separate from the control plane. Please see our lifecycle automation management guide to get started.

Happy meshing!