In the past weeks, I encountered several cases of confusion with the Linkerd installations, especially when people missed key components like operators, Helm charts, or crucial steps. In this article, I’ll walk you through how to install the enterprise version of the Linkerd service mesh.

There are three main ways to install Linkerd Enterprise in your Kubernetes cluster:

• Linkerd CLI
• Helm Charts
• Using an Operator

Regardless of the method you choose, you must first create an account on the Linkerd Enterprise platform. However, it’s worth noting that installing Linkerd Enterprise does NOT require enabling the Buoyant Cloud SaaS platform.

Access Your Linkerd Enterprise License Key

The first step in installing Linkerd Enterprise is obtaining your license key. To do so, follow these steps:

• Browse to https://enterprise.buoyant.io/
• Create an account if you don’t already have one, or log in with your existing credentials.
• In the installation tab, you will see a panel with your API_CLIENT_ID, API_CLIENT_SECRET, and BUOYANT_LICENSE

While the API_CLIENT_ID and API_CLIENT_SECRET are used to connect with Buoyant Cloud, the BUOYANT_LICENSE is the key you'll need to proceed with the installation of Linkerd Enterprise in your cluster.

Note: Buoyant Enterprise for Linkerd is free for non-production traffic, and companies with fewer than 50 employees can use it for free, regardless of scale.

(Optional) Generating Trust Anchor and Identity Certificate

To secure communication between meshed pods, Linkerd applies mutual TLS (mTLS) to all TCP communications. For this to work, Linkerd requires a Trust Anchor, Identity Certificates, and the associated private keys. These certificates are stored as Kubernetes secrets and are used by the Linkerd control plane to issue certificates to each Linkerd proxy.

By default, if no certificates are provided, the Linkerd CLI will generate a Trust Anchor and Identity certificate with a validity of one year. However, if you’re using Helm charts or an operator for installation, you must generate these certificates beforehand and pass them as parameters. You can generate the Trust Anchor and Identity certificates using the step tool as follows:

step certificate create root.linkerd.cluster.local ca.crt ca.key \
  --profile root-ca \
  --no-password \
  --insecure

step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
  --profile intermediate-ca \
  --not-after 8760h \
  --no-password \
  --insecure \
  --ca ca.crt \
  --ca-key ca.key

You can adjust the certificate duration as needed, but it’s critical that the Trust Anchor will have the Common Name root.linkerd.cluster.local , and the identity Intermediate certificate has the Common Name identity.linkerd.cluster.local.

Installing via Linkerd Enterprise CLI

The Linkerd development team has built a powerful CLI that lets you interact with the Linkerd components running in your Kubernetes cluster and perform various operations, from installation, proxy injection, diagnostics, and metrics collection.

First, download the Linkerd CLI and update your PATH environment variable so you can run the Linkerd commands without navigating to the .linkerd2 directory every time.

$ curl --proto '=https' --tlsv1.2 -sSfL https://enterprise.buoyant.io/install | sh
$ export PATH=$HOME/.linkerd2/bin:$PATH

Use the check command to ensure that there are no conflicts with CRDs, roles, namespaces, and other components that will prevent Linkerd from being installed.

linkerd check --pre

Next, deploy the Linkerd custom resource definitions. For example,servers.policy.linkerd.io, httproutes.policy.linkerd.io.

Note: The CLI won’t directly install the Kubernetes resources but will output their manifests. You can pipe this output to kubectl apply to install them.

linkerd install --crds | kubectl apply -f -

Once the CRDs are in place, proceed with installing the heart of Linkerd: the control plane. The control plane will deploy several components that manage service discovery, routing, mTLS, and other core functions of Linkerd.

linkerd install | kubectl apply -f -

Installation via Helm Charts

Some organizations might have compliance policies or workflows that steer them toward the usage of Helm charts. The process is similar to the CLI installation, with the main difference being how resources are applied. Just like the CLI installation, you will need to install the CRDs first, followed by the control plane.

Note: As of version 2.15, Linkerd Enterprise Helm charts are stored in traditional Helm registries hosted on ArtifactHub, with container images hosted in GitHub. This differs from previous releases, where Helm charts and container images were stored in OCI-based and Azure Container Registries.

First, add the Buoyant Helm repository to your local Helm configuration.

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update

The next step is to install the Helm chart that contains the necessary CRDs.

helm upgrade --install linkerd-enterprise-crds \
  linkerd-buoyant/linkerd-enterprise-crds \
  --namespace linkerd \
  --create-namespace

Finally, we can move forward installing the control plane. This is the chart where you will apply most of your custom configurations, such as enabling features like HAZL or modifying proxyInit settings.

For example, you can apply the following configurations during installation:

  --set proxyInit.runAsRoot=true \
  --set destinationController.additionalArgs[0]=-ext-endpoint-zone-weights \
  --set proxy.additionalEnv[0].name=BUOYANT_BALANCER_LOAD_LOW \
  --set proxy.additionalEnv[0].value='0.1' \
  --set proxy.additionalEnv[1].name=BUOYANT_BALANCER_LOAD_HIGH \
  --set proxy.additionalEnv[1].value='3.0'

For a basic installation with default values, you can run the following command:

helm upgrade --install linkerd-enterprise-control-plane \
  linkerd-buoyant/linkerd-enterprise-control-plane \
  --set-file linkerd-control-plane.identityTrustAnchorsPEM=./ca.crt \
  --set-file linkerd-control-plane.identity.issuer.tls.crtPEM=./issuer.crt \
  --set-file linkerd-control-plane.identity.issuer.tls.keyPEM=./issuer.key \
  --set buoyantCloudEnabled=false \
  --set license=$BUOYANT_LICENSE \
  --namespace linkerd \
  --create-namespace 

As you can see, we are still required to provide the Root Certificate, Issuer Certificate, and Issuer Private Key.

Installation via Operator

Before moving into the installation process, let’s briefly explain what a Kubernetes operator is.

What’s an Operator?

A Kubernetes operator is an application-specific controller that extends the Kubernetes API to manage instances of applications on behalf of the user. It monitors the desired state of the cluster and compares it to the actual state, taking action to reconcile any differences using control loops. This simplifies complex application management tasks in Kubernetes.

First, add the Buoyant Helm repository to your local Helm configuration:

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update

Next, we can install the Linkerd Enterprise operator. Unlike the CLI or Helm chart-based installation, this is the only chart you’ll need to install. Once the operator is configured, it will handle the installation and configuration of all necessary resources, including ConfigMaps, CRDs, and other components, automatically.

helm install linkerd-buoyant \
  --create-namespace \
  --namespace linkerd-buoyant \
  --set buoyantCloudEnabled=false \
  --set license=$BUOYANT_LICENSE \
  linkerd-buoyant/linkerd-buoyant

Then we will need to create a dedicated secret to store the Trust Anchor, Identity Certificates, and it’s related private key.

kubectl create secret generic linkerd-identity-issuer \
  --namespace=linkerd \
  --from-file=ca.crt=./ca.crt \
  --from-file=tls.crt=./issuer.crt \
  --from-file=tls.key=./issuer.key

At this point, the operator has not yet installed the control plane or the CRDs because it lacks the necessary configuration.

$ kubectl get controlplane.linkerd.buoyant.io -A
No resources found

$ helm list -A
NAME                  NAMESPACE       REVISION UPDATED                                  STATUS   CHART                                   APP VERSION      
linkerd-buoyant       linkerd-buoyant 1        2024-10-22 07:04:31.801677526 +0200 CEST deployed linkerd-buoyant-0.32.1                  0.32.1

To proceed, deploy the control plane resource with the License key, Linkerd Version and Trust Anchor certificate.

cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
  name: linkerd-control-plane
spec:
  components:
    linkerd:
      version: $LINKERD_VERSION
      license: $BUOYANT_LICENSE
      controlPlaneConfig:
        identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/          /')
        identity:
          issuer:
            scheme: kubernetes.io/tls
EOF
kubectl apply -f linkerd-control-plane-config.yaml

The operator works in cycles, so after a few seconds, it will begin installing the necessary resources, including Helm charts for Linkerd’s CRDs and control plane.

Note: The operator works in cycles, so it might need a couple of seconds before it creates the resources needed

$ helm list -A
NAME                  NAMESPACE       REVISION UPDATED                                  STATUS   CHART                                   APP VERSION      
linkerd-buoyant       linkerd-buoyant 1        2024-10-22 07:04:31.801677526 +0200 CEST deployed linkerd-buoyant-0.32.1                  0.32.1           
linkerd-control-plane linkerd         1        2024-10-22 05:05:01.122822879 +0000 UTC  deployed linkerd-enterprise-control-plane-2.16.1 enterprise-2.16.1
linkerd-crds          linkerd         1        2024-10-22 05:04:59.388052991 +0000 UTC  deployed linkerd-enterprise-crds-2.16.1          enterprise-2.16.1

Resources

• Buoyant Enterprise for Linkerd Pricing: https://buoyant.io/pricing
• Buoyant Enterprise for Linkerd Official Documentation: https://docs.buoyant.io/buoyant-enterprise-linkerd/latest/installation/enterprise/