Versions of Immuta older than 2024.2.0 that were deployed using the legacy Immuta Helm Chart (IHC) generated a self-signed Certificate Authority and generated a cert/key pair to enable TLS on communication between the Immuta services.
The Immuta Enterprise Helm Chart (IEHC) available with the Immuta 2024.2.0 LTS release no longer takes this approach and instead recommends following Kubernetes best practices for enabling encrypted communications. One such approach is by deploying a service mesh which automatically enables mTLS for TCP traffic.
Considerations
Stable releases are provided by Buoyant Enterprise (BEL) and require a license. Edge releases remain open source and are published frequently. An unpaid enterprise license is available for the following use cases:
Usage in non-production environments only, up to 100 pods
For companies with fewer than 50 employees: unrestricted usage with unlimited pods, including in production
Installation
This guide closely follows the steps provided by Buoyant here:
License Generation
Log into the Buoyant Portal and obtain an unpaid license for testing:
Export the license and install the cli
Copy export BUOYANT_LICENSE =< LICENSE >
curl --proto '=https' --tlsv1.2 -sSfL https://enterprise.buoyant.io/install | sh
export PATH = $HOME/.linkerd2/bin:$PATH Validate the destination cluster
Copy kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API
kubernetes-version
------------------
√ is running the minimum Kubernetes API version
pre-kubernetes-setup
--------------------
√ control plane namespace does not already exist
√ can create non-namespaced resources
√ can create ServiceAccounts
√ can create Services
√ can create Deployments
√ can create CronJobs
√ can create ConfigMaps
√ can create Secrets
√ can read Secrets
√ can read extension-apiserver-authentication configmap
√ no clock skew detected
linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date
Status check results are √ Install the BEL Operator
Copy helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
helm install linkerd-buoyant \
--create-namespace \
--namespace linkerd-buoyant \
--set buoyantCloudEnabled= false \
--set license= $BUOYANT_LICENSE \
linkerd-buoyant/linkerd-buoyant Use existing or generate certificate
Follow the linkerd guide for generating certificates with step
Copy brew install step
mkdir linkerd
cd linkerd
step certificate create root.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure
step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
--profile intermediate-ca --not-after 8760h --no-password --insecure \
--ca ca.crt --ca-key ca.key Create TLS Infrastructure
Copy cat << EOF > linkerd-identity-secret.yaml
apiVersion: v1
data:
ca.crt: $( cat ca.crt | base64 | tr -d '\n' )
tls.crt: $( cat issuer.crt | base64 | tr -d '\n' )
tls.key: $( cat issuer.key | base64 | tr -d '\n' )
kind: Secret
metadata:
name: linkerd-identity-issuer
namespace: linkerd
type: kubernetes.io/tls
EOF
kubectl apply -f linkerd-identity-secret.yaml
Copy cat << EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
name: linkerd-control-plane
spec:
components:
linkerd:
version: enterprise-2.15.3
license: $BUOYANT_LICENSE
controlPlaneConfig:
identityTrustAnchorsPEM: |
$( cat ca.crt | sed 's/^/ /' )
identity:
issuer:
scheme: kubernetes.io/tls
# HA config
$(
tmp = $( mktemp -d)
helm pull linkerd-buoyant/linkerd-enterprise-control-plane --untar --untardir $tmp
cat "$tmp/linkerd-enterprise-control-plane/values-ha.yaml" |
tail -n +2 |
sed 's/^/ /'
)
EOF
kubectl apply -f linkerd-control-plane-config.yaml Verify
Copy kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API
kubernetes-version
------------------
√ is running the minimum Kubernetes API version
linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ control plane pods are ready
√ cluster networks contains all pods
√ cluster networks contains all services
linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ proxy-init container runs as root user if docker container runtime is used
linkerd-identity
----------------
√ certificate config is valid
√ trust anchors are using supported crypto algorithm
√ trust anchors are within their validity period
√ trust anchors are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust anchor
linkerd-webhooks-and-apisvc-tls
-------------------------------
√ proxy-injector webhook has valid cert
√ proxy-injector cert is valid for at least 60 days
√ sp-validator webhook has valid cert
√ sp-validator cert is valid for at least 60 days
√ policy-validator webhook has valid cert
√ policy-validator cert is valid for at least 60 days
linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date
control-plane-version
---------------------
√ can retrieve the control plane version
√ control plane is up-to-date
√ control plane and cli versions match
linkerd-control-plane-proxy
---------------------------
√ control plane proxies are healthy
√ control plane proxies are up-to-date
√ control plane proxies and cli versions match
linkerd-ha-checks
-----------------
√ multiple replicas of control plane pods
linkerd-extension-checks
------------------------
√ namespace configuration for extensions
linkerd-buoyant
---------------
√ linkerd-buoyant can determine the latest version
√ linkerd-buoyant cli is up-to-date
√ linkerd-buoyant Namespace exists
√ linkerd-control-plane-operator Deployment exists
√ linkerd-control-plane-operator Deployment is running
√ linkerd-control-plane-operator Deployment is up-to-date
√ linkerd-control-plane-operator Deployment is running a single pod
√ linkerd-control-plane-validator Deployment exists
√ linkerd-control-plane-validator Deployment is running
√ linkerd-control-plane-validator Deployment is up-to-date
√ linkerd-control-plane-validator Deployment is running a single pod
√ linkerd-data-plane-operator Deployment exists
√ linkerd-data-plane-operator Deployment is running
√ linkerd-data-plane-operator Deployment is up-to-date
√ linkerd-data-plane-operator Deployment is running a single pod
√ controlplanes.linkerd.buoyant.io CRD exists
√ dataplanes.linkerd.buoyant.io CRD exists
Status check results are √ Applying linkerd to an existing Immuta deployment
Copy kubectl get -n immuta deploy -o yaml | linkerd inject - | kubectl apply -f -
deployment "immuta-audit" injected
deployment "immuta-cache" injected
deployment "immuta-discover" injected
deployment "immuta-secure-background-worker" injected
deployment "immuta-secure-web" injected
deployment "pgo" injected
Warning: resource deployments/immuta-audit is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-audit configured
Warning: resource deployments/immuta-cache is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-cache configured
Warning: resource deployments/immuta-discover is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-discover configured
Warning: resource deployments/immuta-secure-background-worker is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-secure-background-worker configured
Warning: resource deployments/immuta-secure-web is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-secure-web configured
Warning: resource deployments/pgo is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/pgo configured Installing Linkerd visualization tools
Copy linkerd viz install | kubectl apply -f -
kubectl -n immuta rollout restart deploy
kubectl port-forward -n linkerd-viz service/web 8084:8084 
