BEL installation guide
I want to install BEL using:
I also want to enable:
My plan features:
* Recommended for production installations
Get your license key
BEL requires a valid license key to run, which is available through the Buoyant portal. Following the instructions there, you should end up with environment variable(s) like this:
...Getting the CLI tool
Once you have your license key, the next step is to download and install the BEL CLI:
...Follow the instructions to add the linkerd CLI to your system path.
Verify that the CLI is installed and running the expected version with:
linkerd version --clientYou should see:
...Finally, validate that your cluster is ready for installation:
linkerd check --preInstall the Linkerd CNI plugin
The Linkerd CNI plugin requires that the linkerd-cni DaemonSet be successfully installed on your cluster first, before installing the BEL control plane.
helm repo add linkerd-edge https://helm.linkerd.io/edge
helm repo update
helm search repo linkerd2-cni
helm install linkerd-cni -n linkerd-cni --create-namespace linkerd-edge/linkerd2-cni
# ensure the plugin is installed and ready
linkerd check --pre --linkerd-cni-enabledInstall BEL’s lifecycle automation operator
Start by adding/updating the linkerd-buoyant repo:
helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo updateNow, we can install the BEL lifecycle automation operator itself:
...Create the TLS infrastructure
Most of Linkerd's TLS infrastructure is fully automated, but there are some things we need to generate: a trust anchor certificate and key pair, and an issuer certificate and key pair.
TLS key management is a complex topic. In this guide we are simply going to create our certificates by hand. Automated rotation of these credentials is commonly used in production enviornments but that is outside the scope of this guide.
Follow the Linkerd Trust Root CA & Identity Certificates & Keys doc to create the ca.crt, issuer.crt, and issuer.key files. Pay attention to the lifetimes of the certificates you are creating, especially the trust anchor, and be sure to keep these files in a safe place.
Once these files are created, run the following commands:
cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
data:
ca.crt: $(cat ca.crt | base64 | tr -d '\n')
tls.crt: $(cat issuer.crt | base64 | tr -d '\n')
tls.key: $(cat issuer.key | base64 | tr -d '\n')
kind: Secret
metadata:
name: linkerd-identity-issuer
namespace: linkerd
type: kubernetes.io/tls
EOF
kubectl apply -f linkerd-identity-secret.yamlNote: Set [YOUR_CLUSTER_NAME] to the canonical name of the cluster on which you're installing the agent. This will be the name that identifies the cluster in Buoyant Cloud.
Configure the lifecycle operator
Next, we need to configure the BEL lifecycle automation components to be able to install Linkerd using those TLS credentials we just created.
To do this, create a CRD config that will be used by the Linkerd BEL operator to install and manage the Linkerd control plane. You will need the ca.crt file from above.
...If you are on GKE 1.29+, you need to set a custom clusterNetworks value. Learn more
spec:
components:
linkerd:
controlPlaneConfig:
clusterNetworks: "34.118.224.0/20,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"For more information see the GKE docs
Install BEL
Finally, we're ready to install BEL on your cluster! Apply the config we created in the previous step to activate the BEL lifecycle operator and install the Linkerd control plane:
kubectl apply -f linkerd-control-plane-config.yamlInstall the Linkerd CNI plugin
The Linkerd CNI plugin requires that the linkerd-cni DaemonSet be successfully installed on your cluster first, before installing the BEL control plane.
helm repo add linkerd-edge https://helm.linkerd.io/edge
helm repo update
helm search repo linkerd2-cni
helm install linkerd-cni -n linkerd-cni --create-namespace linkerd-edge/linkerd2-cni
# ensure the plugin is installed and ready
linkerd check --pre --linkerd-cni-enabledCreate the TLS infrastructure
Most of Linkerd's TLS infrastructure is fully automated, but there are some things we need to generate: a trust anchor certificate and key pair, and an issuer certificate and key pair.
TLS key management is a complex topic. In this guide we are simply going to create our certificates by hand. Automated rotation of these credentials is commonly used in production enviornments but that is outside the scope of this guide.
Follow the Linkerd Trust Root CA & Identity Certificates & Keys doc to create the ca.crt, issuer.crt, and issuer.key files. Pay attention to the lifetimes of the certificates you are creating, especially the trust anchor, and be sure to keep these files in a safe place.
Install BEL using Helm
Start by adding/updating the linkerd-buoyant repo:
helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo updateNow, we can install the BEL components using the ca.crt, issuer.crt, and issuer.key files from above:
...If you are on GKE 1.29+, you need to set a custom clusterNetworks value. Learn more
--set clusterNetworks=34.118.224.0/20\,10.0.0.0/8\,100.64.0.0/10\,172.16.0.0/12\,192.168.0.0/16\,fd00::/8For more information see the GKE docs
Install the Buoyant Cloud agent
Set [YOUR_CLUSTER_NAME] to the canonical name of the cluster on which you're installing the agent. This will be the name that identifies the cluster in Buoyant Cloud.
helm install linkerd-buoyant \
--create-namespace \
--namespace linkerd-buoyant \
--set metadata.agentName=[YOUR_CLUSTER_NAME] \
--set api.clientID=$API_CLIENT_ID \
--set api.clientSecret=$API_CLIENT_SECRET \
linkerd-buoyant/linkerd-buoyantInstall the Linkerd CNI plugin
The Linkerd CNI plugin requires that the linkerd-cni DaemonSet be successfully installed on your cluster first, before installing the BEL control plane.
linkerd install-cni | kubectl apply -f -
# ensure the plugin is installed and ready
linkerd check --pre --linkerd-cni-enabledInstall BEL using the CLI
Using the CLI to install BEL is quick and easy, but note that the TLS certificates generated by this installation will expire in a year. If you expect your Linkerd installation to run for more than a year, please use Helm or BEL's lifecycle operator.
To install BEL, run:
...If you are on GKE 1.29+, you need to set a custom clusterNetworks value. Learn more
--set clusterNetworks=34.118.224.0/20\,10.0.0.0/8\,100.64.0.0/10\,172.16.0.0/12\,192.168.0.0/16\,fd00::/8For more information see the GKE docs
Install the Buoyant Cloud agent
Set [YOUR_CLUSTER_NAME] to the canonical name of the cluster on which you're installing the agent. This will be the name that identifies the cluster in Buoyant Cloud.
BUOYANT_CLOUD_CLIENT_ID=$API_CLIENT_ID \
BUOYANT_CLOUD_CLIENT_SECRET=$API_CLIENT_SECRET \
linkerd buoyant install --cluster-name=[YOUR_CLUSTER_NAME] | kubectl apply -f -Verify your installation
After the installation is complete, you can verify the health and configuration of Linkerd by running the linkerd check command:
linkerd checkThat’s it!
You have successfully installed BEL onto your cluster, in such a way that (thanks to the lifecycle automation operator) future upgrades are trivial and can be managed in a purely declarative, GitOps workflow.
You have successfully installed a production-ready BEL deployment onto your Kubernetes cluster.
You have successfully installed BEL onto your cluster. Note that your installation is optimized for non-production traffic such as demos and experiments.