Deploying Linkerd Service Mesh via Buoyant Enterprise for Linkerd
Versions of Immuta older than 2024.2.0 that were deployed using the legacy Immuta Helm Chart (IHC) generated a self-signed Certificate Authority and generated a cert/key pair to enable TLS on communication between the Immuta services.
The Immuta Enterprise Helm Chart (IEHC) available with the Immuta 2024.2.0 LTS release no longer takes this approach and instead recommends following Kubernetes best practices for enabling encrypted communications. One such approach is by deploying a service mesh which automatically enables mTLS for TCP traffic.
Considerations
Stable releases are provided by Buoyant Enterprise (BEL) and require a license. Edge releases remain open source and are published frequently. An unpaid enterprise license is available for the following use cases:
Usage in non-production environments only, up to 100 pods
For companies with fewer than 50 employees: unrestricted usage with unlimited pods, including in production
Installation
This guide closely follows the steps provided by Buoyant here:
License Generation
Log into the Buoyant Portal and obtain an unpaid license for testing:
Export the license and install the cli
export BUOYANT_LICENSE=<LICENSE>
curl --proto '=https' --tlsv1.2 -sSfL https://enterprise.buoyant.io/install | sh
export PATH=$HOME/.linkerd2/bin:$PATH
Validate the destination cluster
linkerd check --pre
Install the BEL Operator
helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
helm install linkerd-buoyant \
--create-namespace \
--namespace linkerd-buoyant \
--set buoyantCloudEnabled=false \
--set license=$BUOYANT_LICENSE \
linkerd-buoyant/linkerd-buoyant
Use existing or generate certificate
Follow the linkerd guide for generating certificates with step
brew install step
mkdir linkerd
cd linkerd
step certificate create root.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure
step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
--profile intermediate-ca --not-after 8760h --no-password --insecure \
--ca ca.crt --ca-key ca.key
Create TLS Infrastructure
cat <<EOF > linkerd-identity-secret.yaml
apiVersion: v1
data:
ca.crt: $(cat ca.crt | base64 | tr -d '\n')
tls.crt: $(cat issuer.crt | base64 | tr -d '\n')
tls.key: $(cat issuer.key | base64 | tr -d '\n')
kind: Secret
metadata:
name: linkerd-identity-issuer
namespace: linkerd
type: kubernetes.io/tls
EOF
kubectl apply -f linkerd-identity-secret.yaml
cat <<EOF > linkerd-control-plane-config.yaml
apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
name: linkerd-control-plane
spec:
components:
linkerd:
version: enterprise-2.15.3
license: $BUOYANT_LICENSE
controlPlaneConfig:
identityTrustAnchorsPEM: |
$(cat ca.crt | sed 's/^/ /')
identity:
issuer:
scheme: kubernetes.io/tls
# HA config
$(
tmp=$(mktemp -d)
helm pull linkerd-buoyant/linkerd-enterprise-control-plane --untar --untardir $tmp
cat "$tmp/linkerd-enterprise-control-plane/values-ha.yaml" |
tail -n +2 |
sed 's/^/ /'
)
EOF
kubectl apply -f linkerd-control-plane-config.yaml
Verify
linkerd check
Applying linkerd to an existing Immuta deployment
kubectl get -n immuta deploy -o yaml |linkerd inject - |kubectl apply -f -
deployment "immuta-audit" injected
deployment "immuta-cache" injected
deployment "immuta-discover" injected
deployment "immuta-secure-background-worker" injected
deployment "immuta-secure-web" injected
deployment "pgo" injected
Warning: resource deployments/immuta-audit is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-audit configured
Warning: resource deployments/immuta-cache is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-cache configured
Warning: resource deployments/immuta-discover is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-discover configured
Warning: resource deployments/immuta-secure-background-worker is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-secure-background-worker configured
Warning: resource deployments/immuta-secure-web is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/immuta-secure-web configured
Warning: resource deployments/pgo is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/pgo configured
Installing Linkerd visualization tools
linkerd viz install | kubectl apply -f -
kubectl -n immuta rollout restart deploy
kubectl port-forward -n linkerd-viz service/web 8084:8084
