Deploying Linkerd Service Mesh via Buoyant Enterprise for Linkerd

Versions of Immuta older than 2024.2.0 that were deployed using the legacy Immuta Helm Chart (IHC) generated a self-signed Certificate Authority and generated a cert/key pair to enable TLS on communication between the Immuta services.

The Immuta Enterprise Helm Chart (IEHC) available with the Immuta 2024.2.0 LTS release no longer takes this approach and instead recommends following Kubernetes best practices for enabling encrypted communications. One such approach is by deploying a service mesh which automatically enables mTLS for TCP traffic.

Considerations

Stable releases are provided by Buoyant Enterprise (BEL) and require a license. Edge releases remain open source and are published frequently. An unpaid enterprise license is available for the following use cases:

Usage in non-production environments only, up to 100 pods
For companies with fewer than 50 employees: unrestricted usage with unlimited pods, including in production

Installation

This guide closely follows the steps provided by Buoyant here:

License Generation

Log into the Buoyant Portal and obtain an unpaid license for testing:

Export the license and install the cli

export BUOYANT_LICENSE=<LICENSE>
curl --proto '=https' --tlsv1.2 -sSfL https://enterprise.buoyant.io/install | sh
export PATH=$HOME/.linkerd2/bin:$PATH

Validate the destination cluster

linkerd check --pre

Example precheck output

kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version

pre-kubernetes-setup
--------------------
√ control plane namespace does not already exist
√ can create non-namespaced resources
√ can create ServiceAccounts
√ can create Services
√ can create Deployments
√ can create CronJobs
√ can create ConfigMaps
√ can create Secrets
√ can read Secrets
√ can read extension-apiserver-authentication configmap
√ no clock skew detected

linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date

Status check results are √

Install the BEL Operator

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
helm install linkerd-buoyant \
  --create-namespace \
  --namespace linkerd-buoyant \
  --set buoyantCloudEnabled=false \
  --set license=$BUOYANT_LICENSE \
  linkerd-buoyant/linkerd-buoyant

Use existing or generate certificate

Follow the linkerd guide for generating certificates with step

brew install step
mkdir linkerd
cd linkerd
step certificate create root.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure

step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
--profile intermediate-ca --not-after 8760h --no-password --insecure \
--ca ca.crt --ca-key ca.key

Create TLS Infrastructure

cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
data:
  ca.crt: $(cat ca.crt | base64 | tr -d '\n')
  tls.crt: $(cat issuer.crt | base64 | tr -d '\n')
  tls.key: $(cat issuer.key | base64 | tr -d '\n')
kind: Secret
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
type: kubernetes.io/tls
EOF

kubectl apply -f linkerd-identity-secret.yaml

cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
  name: linkerd-control-plane
spec:
  components:
    linkerd:
      version: enterprise-2.15.3
      license: $BUOYANT_LICENSE
      controlPlaneConfig:
        identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/          /')
        identity:
          issuer:
            scheme: kubernetes.io/tls

        # HA config

$(
  tmp=$(mktemp -d)
  helm pull linkerd-buoyant/linkerd-enterprise-control-plane --untar --untardir $tmp
  cat "$tmp/linkerd-enterprise-control-plane/values-ha.yaml" |
    tail -n +2 |
    sed 's/^/      /'
)
EOF

kubectl apply -f linkerd-control-plane-config.yaml

Verify

linkerd check

Example check output

kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version

linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ control plane pods are ready
√ cluster networks contains all pods
√ cluster networks contains all services

linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ proxy-init container runs as root user if docker container runtime is used

linkerd-identity
----------------
√ certificate config is valid
√ trust anchors are using supported crypto algorithm
√ trust anchors are within their validity period
√ trust anchors are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust anchor

linkerd-webhooks-and-apisvc-tls
-------------------------------
√ proxy-injector webhook has valid cert
√ proxy-injector cert is valid for at least 60 days
√ sp-validator webhook has valid cert
√ sp-validator cert is valid for at least 60 days
√ policy-validator webhook has valid cert
√ policy-validator cert is valid for at least 60 days

linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date

control-plane-version
---------------------
√ can retrieve the control plane version
√ control plane is up-to-date
√ control plane and cli versions match

linkerd-control-plane-proxy
---------------------------
√ control plane proxies are healthy
√ control plane proxies are up-to-date
√ control plane proxies and cli versions match

linkerd-ha-checks
-----------------
√ multiple replicas of control plane pods

linkerd-extension-checks
------------------------
√ namespace configuration for extensions

linkerd-buoyant
---------------
√ linkerd-buoyant can determine the latest version
√ linkerd-buoyant cli is up-to-date
√ linkerd-buoyant Namespace exists
√ linkerd-control-plane-operator Deployment exists
√ linkerd-control-plane-operator Deployment is running
√ linkerd-control-plane-operator Deployment is up-to-date
√ linkerd-control-plane-operator Deployment is running a single pod
√ linkerd-control-plane-validator Deployment exists
√ linkerd-control-plane-validator Deployment is running
√ linkerd-control-plane-validator Deployment is up-to-date
√ linkerd-control-plane-validator Deployment is running a single pod
√ linkerd-data-plane-operator Deployment exists
√ linkerd-data-plane-operator Deployment is running
√ linkerd-data-plane-operator Deployment is up-to-date
√ linkerd-data-plane-operator Deployment is running a single pod
√ controlplanes.linkerd.buoyant.io CRD exists
√ dataplanes.linkerd.buoyant.io CRD exists

Status check results are √

Applying linkerd to an existing Immuta deployment

kubectl get -n immuta deploy -o yaml |linkerd inject - |kubectl apply -f -

deployment "immuta-audit" injected
deployment "immuta-cache" injected
deployment "immuta-discover" injected
deployment "immuta-secure-background-worker" injected
deployment "immuta-secure-web" injected
deployment "pgo" injected

Warning: resource deployments/immuta-audit is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-audit configured
Warning: resource deployments/immuta-cache is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-cache configured
Warning: resource deployments/immuta-discover is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-discover configured
Warning: resource deployments/immuta-secure-background-worker is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-secure-background-worker configured
Warning: resource deployments/immuta-secure-web is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-secure-web configured
Warning: resource deployments/pgo is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/pgo configured

Installing Linkerd visualization tools

linkerd viz install | kubectl apply -f -
kubectl -n immuta rollout restart deploy
kubectl port-forward -n linkerd-viz service/web 8084:8084

PreviousDeploying Linkerd via Open Source Linkerd NextUninstalling Linkerd