Production-grade installation

In this guide, we’ll walk you through how to create a production-grade installation for BEL. This installation includes:

  • A highly-available control plane that is deployed as multiple replicas, with node anti-affinity constraints.
  • Our Lifecycle automation operator to automate control plane and data plane upgrades.
  • Explicit choices about the longevity of TLS credentials.
If you are on the Enterprise Plan for BEL, see the Enterprise Plan installation guide.

Before you begin, make sure you have the following:

  • A functioning Kubernetes cluster
  • Helm installed on your local machine
  • If using the Linkerd CNI plugin, it should be installed first

Step 0: Get your license key

BEL requires a valid license key to run. Log into the Buoyant portal and follow the instructions there. You should end up with an environment variable like this:

export BUOYANT_LICENSE=[LICENSE]

Step 1: Get the CLI tool

Once you have your license key, the next step is to download and install the BEL CLI:

curl --proto '=https' --tlsv1.2 -sSfL https://enterprise.buoyant.io/install | sh

Follow the instructions to add the BEL linkerd CLI to your system path.

Verify that the CLI is installed and running the expected version with:

linkerd version --client

You should see:

Client version: enterprise-2.16.2

Finally, validate that your Kubernetes cluster is ready for installation:

linkerd check --pre

Step 2: Install the BEL lifecycle automation operator

The next step is to install the BEL’s lifecycle automation components, which will automate installation and upgrades of BEL.

Start by adding/updating the linkerd-buoyant repo:

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update

Now, we can install the BEL lifecycle automation operator itself:

helm install linkerd-buoyant \
  --create-namespace \
  --namespace linkerd-buoyant \
  --set buoyantCloudEnabled=false \
  --set license=$BUOYANT_LICENSE \
  linkerd-buoyant/linkerd-buoyant

Step 3: Create the TLS infrastructure

Most of Linkerd’s TLS infrastructure is fully automated, but there are some things we need to generate: a trust anchor certificate and key pair, and an issuer certificate and key pair.

TLS key management is a complex topic. In this guide we are simply going to create our certificates by hand. Automated rotation of these credentials is commonly used in production enviornments but that is outside the scope of this guide.

Follow the Linkerd Trust Root CA & Identity Certificates & Keys docs. Pay attention to the lifetimes of the certificates you are creating, especially the trust anchor.

You will need the resulting ca.crt, issuer.crt, and issuer.key files. Be sure to keep these files in a safe place.

cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
data:
  ca.crt: $(cat ca.crt | base64 | tr -d '\n')
  tls.crt: $(cat issuer.crt | base64 | tr -d '\n')
  tls.key: $(cat issuer.key | base64 | tr -d '\n')
kind: Secret
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
type: kubernetes.io/tls
EOF

kubectl apply -f linkerd-identity-secret.yaml

Step 4: Configure the lifecycle operator with these TLS credentials

Next, we need to configure the BEL lifecycle automation components to be able to install Linkerd using those TLS credentials we just created.

To do this, create a CRD config that will be used by the Linkerd BEL operator to install and manage the Linkerd control plane. You will need the ca.crt file from above.

cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
  name: linkerd-control-plane
spec:
  components:
    linkerd:
      version: enterprise-2.16.2
      controlPlaneConfig:
        license: $BUOYANT_LICENSE
        identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/          /')
        identity:
          issuer:
            scheme: kubernetes.io/tls

        # HA config

$(
  tmp=$(mktemp -d)
  helm pull linkerd-buoyant/linkerd-enterprise-control-plane --untar --untardir $tmp
  cat "$tmp/linkerd-enterprise-control-plane/values-ha.yaml" |
    tail -n +2 |
    sed 's/^/      /'
)
EOF
If you are on GKE 1.29+, you need to set a custom clusterNetworks value. Learn more
spec:
  components:
    linkerd:
      controlPlaneConfig:
        clusterNetworks: "34.118.224.0/20,10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"

For more information see the GKE docs.

Step 5: Install BEL

Finally, we’re ready to install BEL on your cluster! Apply the config we created in the previous step to activate the BEL lifecycle operator and install the Linkerd control plane:

kubectl apply -f linkerd-control-plane-config.yaml

Step 6: Verify your installation

After the installation is complete, you can verify the health and configuration of Linkerd by running the linkerd check command:

linkerd check

That’s it!

You have successfully installed a production-ready BEL deployment onto your Kubernetes cluster.

You can also use BEL’s lifecycle automation to manage the data plane on your cluster, separate from the control plane. Please see our lifecycle automation management guide to get started.

Happy meshing!