What's on this page
Linkerd.io references
Migrating an ArgoCD-based Linkerd install to BEL's lifecycle automation
In this guide we’ll walk you through how to migrate from an ArgoCD deployment of the Linkerd control plane to one that is managed with BEL’s lifecycle automation.
Why do we need to do anything?
BEL’s lifecycle operator relies on a Helm deployment of the
and linkerd-crds
charts. ArgoCD deploys a templated
version of those charts instead of the actual charts themselves. Before the
operator can take over a Linkerd deployment we’ll first need to tell Helm to
“adopt” the existing Linkerd install.
What do we need to do?
Follow along with the steps in this document to “adopt” an existing Linkerd install. In our example we’re going to show you how to spin up a k3d cluster but you can perform the migration steps on any cluster.
Required tools
To complete this migration, you will need:
- A functioning Kubernetes cluster with Linkerd install via ArgoCD
- Helm installed on your local machine
- The
environment variable set - The
BEL CLI, for decoding TLS certificates in Step 1
Step 1: Migrating an ArgoCD install to Helm
You’ll need to move your ArgoCD install to a Helm install of the latest BEL version before managing it with the lifecycle automation operator.
The Helm charts used in this step are hosted in the linkerd-buoyant
Helm repo,
which can be added/updated as followed:
helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update linkerd-buoyant
Start by adding the required labels and annotations to Linkerd’s CRDs:
kubectl label crds -l linkerd.io/control-plane-ns=linkerd app.kubernetes.io/managed-by=Helm
kubectl annotate crds -l linkerd.io/control-plane-ns=linkerd \
meta.helm.sh/release-name=linkerd-crds meta.helm.sh/release-namespace=linkerd
Then use the helm
command to move these resources to be managed by BEL’s
helm install linkerd-crds -n linkerd linkerd-buoyant/linkerd-enterprise-crds
Next add the required labels and annotations to all control plane resources:
kubectl label clusterrole,clusterrolebinding,configmap,cronjob,deployment,mutatingwebhookconfiguration,namespace,role,rolebinding,secret,service,serviceaccount,validatingwebhookconfiguration \
-A -l linkerd.io/control-plane-ns=linkerd \
kubectl annotate clusterrole,clusterrolebinding,configmap,cronjob,deployment,mutatingwebhookconfiguration,namespace,role,rolebinding,secret,service,serviceaccount,validatingwebhookconfiguration \
-A -l linkerd.io/control-plane-ns=linkerd \
meta.helm.sh/release-name=linkerd-control-plane meta.helm.sh/release-namespace=linkerd
kubectl -n linkerd label role/ext-namespace-metadata-linkerd-config \
kubectl -n linkerd annotate role/ext-namespace-metadata-linkerd-config \
linkerd.io/control-plane-ns=linkerd meta.helm.sh/release-name=linkerd-control-plane meta.helm.sh/release-namespace=linkerd
Then use the helm
command to move these resources to be managed by BEL’s
To complete this step, you will need the CA certificate that you used to install your control plane. Assuming you followed Linkerd’s GitOps guide to ArgoCD, you’ll already be using cert-manager to furnish your issuer certificates. Get the CA certificate with:
kubectl -n linkerd get cm/linkerd-identity-trust-roots -ojsonpath='{.data.ca-bundle\.crt}' > ca.crt
Then run the Helm install:
helm install linkerd-control-plane \
-n linkerd \
--set license=$BUOYANT_LICENSE \
--set-file identityTrustAnchorsPEM=ca.crt \
--set identity.issuer.scheme=kubernetes.io/tls \
Your Linkerd installation on this cluster is now managed via Helm, which you can verify by running:
helm list -n linkerd
Which should output something like:
linkerd-control-plane linkerd 1 ... enterprise-2.17.1
linkerd-crds linkerd 1 ... enterprise-2.17.1
Step 2: Migrating to BEL’s lifecycle automation
With Step 1 completed, the ArgoCD deployment of the Linkerd control plane has been migrated to Helm.
You can now use BEL’s lifecycle operator to takeover this Helm install using the BEL lifecycle automation guide, starting with Step 2.