What's on this page
Production-grade installation
In this guide, we’ll walk you through how to create a production-grade installation for BEL. This installation includes:
- A highly-available control plane that is deployed as multiple replicas, with node anti-affinity constraints.
- Our Lifecycle automation operator to automate control plane and data plane upgrades.
- Explicit choices about the longevity of TLS credentials.
Before you begin, make sure you have the following:
- A functioning Kubernetes cluster
- Helm installed on your local machine
- If using the Linkerd CNI plugin, it should be installed first
Step 0: Get your license key
BEL requires a valid license key to run. Log into the Buoyant portal and follow the instructions there. You should end up with an environment variable like this:
export BUOYANT_LICENSE=[LICENSE]
Step 1: Get the CLI tool
Once you have your license key, the next step is to download and install the BEL CLI:
curl --proto '=https' --tlsv1.2 -sSfL https://enterprise.buoyant.io/install | sh
Follow the instructions to add the BEL linkerd
CLI to your system path.
Verify that the CLI is installed and running the expected version with:
linkerd version --client
You should see:
Client version: enterprise-2.16.2
Finally, validate that your Kubernetes cluster is ready for installation:
linkerd check --pre
Step 2: Install the BEL lifecycle automation operator
The next step is to install the BEL’s lifecycle automation components, which will automate installation and upgrades of BEL.
Start by adding/updating the linkerd-buoyant
repo:
helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
Now, we can install the BEL lifecycle automation operator itself:
helm install linkerd-buoyant \
--create-namespace \
--namespace linkerd-buoyant \
--set buoyantCloudEnabled=false \
--set license=$BUOYANT_LICENSE \
linkerd-buoyant/linkerd-buoyant
Step 3: Create the TLS infrastructure
Most of Linkerd’s TLS infrastructure is fully automated, but there are some things we need to generate: a trust anchor certificate and key pair, and an issuer certificate and key pair.
TLS key management is a complex topic. In this guide we are simply going to create our certificates by hand. Automated rotation of these credentials is commonly used in production enviornments but that is outside the scope of this guide.
Follow the Linkerd Trust Root CA & Identity Certificates & Keys docs. Pay attention to the lifetimes of the certificates you are creating, especially the trust anchor.
You will need the resulting ca.crt
, issuer.crt
, and issuer.key
files. Be
sure to keep these files in a safe place.
cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
data:
ca.crt: $(cat ca.crt | base64 | tr -d '\n')
tls.crt: $(cat issuer.crt | base64 | tr -d '\n')
tls.key: $(cat issuer.key | base64 | tr -d '\n')
kind: Secret
metadata:
name: linkerd-identity-issuer
namespace: linkerd
type: kubernetes.io/tls
EOF
kubectl apply -f linkerd-identity-secret.yaml
Step 4: Configure the lifecycle operator with these TLS credentials
Next, we need to configure the BEL lifecycle automation components to be able to install Linkerd using those TLS credentials we just created.
To do this, create a CRD config that will be used by the Linkerd BEL operator to
install and manage the Linkerd control plane. You will need the ca.crt
file
from above.
cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
name: linkerd-control-plane
spec:
components:
linkerd:
version: enterprise-2.16.2
controlPlaneConfig:
license: $BUOYANT_LICENSE
identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/ /')
identity:
issuer:
scheme: kubernetes.io/tls
# HA config
$(
tmp=$(mktemp -d)
helm pull linkerd-buoyant/linkerd-enterprise-control-plane --untar --untardir $tmp
cat "$tmp/linkerd-enterprise-control-plane/values-ha.yaml" |
tail -n +2 |
sed 's/^/ /'
)
EOF
If you are on GKE 1.29+, you need to set a custom clusterNetworks
value. Learn more
spec:
components:
linkerd:
controlPlaneConfig:
clusterNetworks: "34.118.224.0/20,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
For more information see the GKE docs.
Step 5: Install BEL
Finally, we’re ready to install BEL on your cluster! Apply the config we created in the previous step to activate the BEL lifecycle operator and install the Linkerd control plane:
kubectl apply -f linkerd-control-plane-config.yaml
Step 6: Verify your installation
After the installation is complete, you can verify the health and configuration
of Linkerd by running the linkerd check
command:
linkerd check
That’s it!
You have successfully installed a production-ready BEL deployment onto your Kubernetes cluster.
Happy meshing!