What's on this page
Enterprise Plan installation
In this guide, we’ll walk you through how to install BEL when you are on an Enterprise Plan. This installation includes:
- BEL installed with the latest hotpatch release.
- A highly-available control plane that is deployed as multiple replicas, with node anti-affinity constraints.
- Our Lifecycle automation operator to automate control plane and data plane upgrades.
- Explicit choices about the longevity of TLS credentials.
- Optional FIPS-140-2 compliance.
- Optional installation of Buoyant Cloud.
Before you begin, make sure you have the following:
- An Enterprise plan of BEL
- A functioning Kubernetes cluster
- Helm installed on your local machine
Step 0: Get your license key
BEL requires a valid license key to run, which is available through the Buoyant portal. Following the instructions there, you should end up with environment variables like this:
export API_CLIENT_ID=[ID]
export API_CLIENT_SECRET=[SECRET]
export BUOYANT_LICENSE=[LICENSE]
Note: If you are installing BEL without Buoyant Cloud, then you will only
need the BUOYANT_LICENSE
environment variable.
Step 1: Getting the CLI tool
The first step is to download and install the BEL CLI:
curl --proto '=https' --tlsv1.2 -sSfL https://enterprise.buoyant.io/install-hotpatch | sh
Follow the instructions to add the linkerd
CLI to your system path.
Verify that the CLI is installed and running the expected version with:
linkerd version --client
You should see:
Client version: enterprise-2.16.1-0
Finally, validate that your cluster is ready for installation:
linkerd check --pre
Step 2: Install the BEL lifecycle automation operator
The next step is to install the BEL’s lifecycle automation components, which will automate installation and upgrades of BEL.
Start by adding/updating the linkerd-buoyant
repo:
helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
Now, we can install the BEL lifecycle automation operator itself:
helm install linkerd-buoyant \
--create-namespace \
--namespace linkerd-buoyant \
--set buoyantCloudEnabled=false \
--set license=$BUOYANT_LICENSE \
linkerd-buoyant/linkerd-buoyant
helm install linkerd-buoyant \
--create-namespace \
--namespace linkerd-buoyant \
--set metadata.agentName=[your_cluster_name] \
--set api.clientID=$API_CLIENT_ID \
--set api.clientSecret=$API_CLIENT_SECRET \
linkerd-buoyant/linkerd-buoyant
Step 3: Create the TLS infrastructure
Most of Linkerd’s TLS infrastructure is fully automated, but there are some things we need to generate: a trust anchor certificate and key pair, and an issuer certificate and key pair.
To do this, follow the
Linkerd Trust Root CA & Identity Certificates & Keys
docs. You will need the resulting ca.crt
, issuer.crt
, and issuer.key
files.
cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
data:
ca.crt: $(cat ca.crt | base64 | tr -d '\n')
tls.crt: $(cat issuer.crt | base64 | tr -d '\n')
tls.key: $(cat issuer.key | base64 | tr -d '\n')
kind: Secret
metadata:
name: linkerd-identity-issuer
namespace: linkerd
type: kubernetes.io/tls
EOF
kubectl apply -f linkerd-identity-secret.yaml
If you plan to use this cluster outside of demo/testing purposes, keep these files somewhere safe.
Step 4: Configure the lifecycle operator with these TLS credentials
Next, we need to configure the BEL lifecycle automation components to be able to install Linkerd using those TLS credentials we just created.
To do this, create a CRD config that will be used by the Linkerd BEL operator to
install and manage the Linkerd control plane. You will need the ca.crt
file
from above.
cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
name: linkerd-control-plane
spec:
components:
linkerd:
version: enterprise-2.16.1-0
controlPlaneConfig:
license: $BUOYANT_LICENSE
identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/ /')
identity:
issuer:
scheme: kubernetes.io/tls
# HA config
$(
tmp=$(mktemp -d)
helm pull linkerd-buoyant/linkerd-enterprise-control-plane --untar --untardir $tmp
cat "$tmp/linkerd-enterprise-control-plane/values-ha.yaml" |
tail -n +2 |
sed 's/^/ /'
)
EOF
cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
name: linkerd-control-plane
spec:
components:
linkerd:
version: enterprise-2.16.1-0-fips
controlPlaneConfig:
license: $BUOYANT_LICENSE
identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/ /')
identity:
issuer:
scheme: kubernetes.io/tls
# HA config
$(
tmp=$(mktemp -d)
helm pull linkerd-buoyant/linkerd-enterprise-control-plane --untar --untardir $tmp
cat "$tmp/linkerd-enterprise-control-plane/values-ha.yaml" |
tail -n +2 |
sed 's/^/ /'
)
EOF
If you are on GKE 1.29+, you need to set a custom clusterNetworks
value. Learn more
spec:
components:
linkerd:
controlPlaneConfig:
clusterNetworks: "34.118.224.0/20,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
For more information see the GKE docs.
Step 5: Install BEL
Finally, we’re ready to install BEL! Apply the config we created in the previous step to activate the BEL lifecycle operator and install the Linkerd control plane:
kubectl apply -f linkerd-control-plane-config.yaml
Step 6: Verify your installation
After the installation is complete, you can verify the health and configuration
of Linkerd by running the linkerd check
command:
linkerd check
That’s it!
You have successfully installed BEL onto your cluster, in such a way that (thanks to the lifecycle automation operator) future upgrades are trivial and can be managed in a purely declarative, GitOps workflow.
Happy meshing!