buoyant.io

BEL installation guide

I want to install BEL using:

I also want to enable:

My plan features:

* Recommended for production installations

Using the CLI to install BEL is quick and easy, but note that your installation would be optimized for non-production use. For installations that handle production traffic, please use Helm or BEL’s lifecycle operator.
If a tool other than Linkerd is managing the Gateway API resources on your cluster, insure that the Gateway API resources are installed first, and that the version is compatible with Linkerd.

Get your license key

BEL requires a valid license key to run, which is available through the Buoyant portal. Following the instructions there, you should end up with environment variable(s) like this:

...

Getting the CLI tool

Once you have your license key, the next step is to download and install the BEL CLI:

...

Follow the instructions to add the linkerd CLI to your system path.

Verify that the CLI is installed and running the expected version with:

...

You should see:

...

Finally, validate that your cluster is ready for installation:

...

Install the Linkerd CNI plugin

The Linkerd CNI plugin requires that the linkerd-cni DaemonSet be successfully installed on your cluster first, before installing the BEL control plane.

...

Install BEL's lifecycle automation operator

Start by adding/updating the linkerd-buoyant repo:

...

Now, we can install the BEL lifecycle automation operator itself:

...

Note: Set [YOUR_CLUSTER_NAME] to the canonical name of the cluster on which you're installing the agent. This will be the name that identifies the cluster in Buoyant Cloud.

Create the TLS infrastructure

Most of Linkerd's TLS infrastructure is fully automated, but there are some things we need to generate: a trust anchor certificate and key pair, and an issuer certificate and key pair.

TLS key management is a complex topic. In this guide we are simply going to create our certificates by hand. Automated rotation of these credentials is commonly used in production enviornments but that is outside the scope of this guide.

Follow the Linkerd Trust Root CA & Identity Certificates & Keys doc to create the ca.crt, issuer.crt, and issuer.key files. Pay attention to the lifetimes of the certificates you are creating, especially the trust anchor, and be sure to keep these files in a safe place.

Once these files are created, run the following commands:

...

Configure the lifecycle operator

Next, we need to configure the BEL lifecycle automation components to be able to install Linkerd using those TLS credentials we just created.

To do this, create a CRD config that will be used by the Linkerd BEL operator to install and manage the Linkerd control plane. You will need the ca.crt file from above.

...
If you are on GKE 1.29+, you need to set a custom clusterNetworks value. Learn more
...

For more information see the GKE docs

Install BEL

Finally, we're ready to install BEL on your cluster! Apply the config we created in the previous step to activate the BEL lifecycle operator and install the Linkerd control plane:

...

Install the Linkerd CNI plugin

The Linkerd CNI plugin requires that the linkerd-cni DaemonSet be successfully installed on your cluster first, before installing the BEL control plane.

...

Create the TLS infrastructure

Most of Linkerd's TLS infrastructure is fully automated, but there are some things we need to generate: a trust anchor certificate and key pair, and an issuer certificate and key pair.

TLS key management is a complex topic. In this guide we are simply going to create our certificates by hand. Automated rotation of these credentials is commonly used in production enviornments but that is outside the scope of this guide.

Follow the Linkerd Trust Root CA & Identity Certificates & Keys doc to create the ca.crt, issuer.crt, and issuer.key files. Pay attention to the lifetimes of the certificates you are creating, especially the trust anchor, and be sure to keep these files in a safe place.

Install BEL using Helm

Start by adding/updating the linkerd-buoyant repo:

...

Now, we can install the BEL components using the ca.crt, issuer.crt, and issuer.key files from above:

...
If you are on GKE 1.29+, you need to set a custom clusterNetworks value. Learn more
...

For more information see the GKE docs

Install the Buoyant Cloud agent

Set [YOUR_CLUSTER_NAME] to the canonical name of the cluster on which you're installing the agent. This will be the name that identifies the cluster in Buoyant Cloud.

...

Install the Linkerd CNI plugin

The Linkerd CNI plugin requires that the linkerd-cni DaemonSet be successfully installed on your cluster first, before installing the BEL control plane.

...

Install BEL using the CLI

Using the CLI to install BEL is quick and easy, but note that the TLS certificates generated by this installation will expire in a year. If you expect your Linkerd installation to run for more than a year, please use Helm or BEL's lifecycle operator.

To install BEL, run:

...
If you are on GKE 1.29+, you need to set a custom clusterNetworks value. Learn more
...

For more information see the GKE docs

Install the Buoyant Cloud agent

Set [YOUR_CLUSTER_NAME] to the canonical name of the cluster on which you're installing the agent. This will be the name that identifies the cluster in Buoyant Cloud.

...

Verify your installation

After the installation is complete, you can verify the health and configuration of Linkerd by running the linkerd check command:

...

That's it!

You have successfully installed BEL onto your cluster, in such a way that (thanks to the lifecycle automation operator) future upgrades are trivial and can be managed in a purely declarative, GitOps workflow.

You have successfully installed a production-ready BEL deployment onto your Kubernetes cluster.

You have successfully installed BEL onto your cluster. Note that your installation is optimized for non-production traffic such as demos and experiments.