Linkerd is a dedicated infrastructure layer that facilitates service-to-service communication, automatically encrypts connections, handles retries and timeouts. Installing the Linkerd add-on component ensures balancing of gRPC traffic when scaling BRIX services. It also provides telemetry (success rates, latencies), and much more.
Linkerd is a necessary component for enabling support of service scaling on the side of the BRIX application. Without Linkerd installed, scaling of BRIX microservices will not work.
To learn about installing Linkerd using Cert-manager, see Install Linkerd using Cert-manager.
This article covers how to:
- prepare certificates using openssl for Linkerd and install it;
- delete the Linkerd chart using Helm in the Kubernetes cluster.
The installation consists of four steps:
- Prepare certificates for Linkerd.
- Download the Helm chart and configuration file.
- Fill out the configuration file.
- Install the Linkerd chart using helm in the Kubernetes cluster.
Step 1: Prepare certificates for Linkerd
Generate certificates using OpenSSL with the commands below. Linkerd requires a trust anchor certificate and issuer certificates with the corresponding key to support mutual TLS connections between services. All certificates must use the ECDSA P-256 algorithm.
# Create CA private key
openssl ecparam -name prime256v1 -genkey -noout -out ca-private.pem
# Create CA public key
openssl ec -in ca-private.pem -pubout -out ca-public.pem
# Create self-signed CA certificate
openssl req -x509 -new -key ca-private.pem -days 3650 -out ca.crt -subj "/CN=root.linkerd.cluster.local"
# Create issuer private key
openssl ecparam -name prime256v1 -genkey -noout -out issuer-private.pem
# Create issuer public key
openssl ec -in issuer-private.pem -pubout -out issuer-public.pem
# Create certificate signing request
openssl req -new -key issuer-private.pem -out issuer.csr -subj "/CN=identity.linkerd.cluster.local" -addext basicConstraints=critical,CA:TRUE
# Create issuer certificate by signing the request
openssl x509 \
-extfile /etc/ssl/openssl.cnf \
-extensions v3_ca \
-req \
-in issuer.csr \
-days 3650 \
-CA ca.crt \
-CAkey ca-private.pem \
-CAcreateserial \
-extensions v3_ca \
-out issuer.crt
# Remove certificate signing request
rm issuer.csr
Step 2: Download the Helm chart and configuration file
To install via the internet, obtain the values-linkerd.yaml configuration file by executing the command:
helm repo add elma365 https://charts.elma365.tech
helm repo update
helm show values elma365/linkerd > values-linkerd.yaml
Acquiring the configuration file for a closed-loop installation with no internet access
helm repo add elma365 https://charts.elma365.tech For more details, see Download BRIX images.
tar -xf linkerd-X.Y.Z.tgz |
Step 3: Fill out the configuration file
Fill out the values-linkerd.yaml configuration file for installing Linkerd.
Specify the DNS domain name of the Kubernetes cluster in the linkerd.clusterDomain parameter, in this case, cluster.local.
## Linkerd settings
linkerd:
## DNS domain name of Kubernetes
clusterDomain: cluster.local
## dds PodSecurityPolicy resource (deprecated starting with k8s v1.21)
enablePSP: false
## disable heartbeat
disableHeartBeat: false
...
To ensure high availability, you may uncomment the parameters in the Parameters for high availability section.
Example of enabling high availability:
## Linkerd settings
linkerd:
...
##
## Perameters for high availability
controllerReplicas: 3
enablePodDisruptionBudget: true
deploymentStrategy:
rollingUpdate:
maxUnavailable: 1
maxSurge: 25%
enablePodAntiAffinity: true
proxy:
resources:
cpu:
request: 100m
memory:
limit: 250Mi
request: 20Mi
controllerResources: &controller_resources
cpu: &controller_resources_cpu
limit: ""
request: 100m
memory:
limit: 250Mi
request: 50Mi
destinationResources: *controller_resources
identityResources:
cpu: *controller_resources_cpu
memory:
limit: 250Mi
request: 10Mi
heartbeatResources: *controller_resources
proxyInjectorResources: *controller_resources
webhookFailurePolicy: Fail
spValidatorResources: *controller_resources
##
...
To connect to a private registry, you need to:
## linkerd settings where the format is as follows:
|
Step 4: Install the Linkerd chart using helm in the Kubernetes cluster
Perform the installation of the Linkerd chart in namespace linkerd. The namespace will be created during installation if it was not previously created.
Within the article, the installation command is executed from the directory where the certificates were created in Step 1. If the command is being executed from a different directory, specify the paths to the certificates created in Step 1 (ca.crt, issuer.crt, issuer-private.pem).
For online installation:
helm upgrade --install linkerd elma365/linkerd -f values-linkerd.yaml -n linkerd --create-namespace \
--set-file linkerd.identityTrustAnchorsPEM=ca.crt \
--set-file linkerd.identity.issuer.tls.crtPEM=issuer.crt \
--set-file linkerd.identity.issuer.tls.keyPEM=issuer-private.pem
For offline installation:
helm upgrade --install linkerd ./linkerd -f values-linkerd.yaml -n linkerd --create-namespace \
--set-file linkerd.identityTrustAnchorsPEM=ca.crt \
--set-file linkerd.identity.issuer.tls.crtPEM=issuer.crt \
--set-file linkerd.identity.issuer.tls.keyPEM=issuer-private.pem
Начало внимание
Installing the Linkerd add-on component does not automatically include support for scaling services on the side of the BRIX application.
After installation, do not forget to change the BRIX application parameters and set up auto-scaling on the side of the BRIX application.
Read more about enabling service scaling on the side of the BRIX application in Enable service autoscaling in BRIX Enterprise.
Конец внимание
Delete Linkerd chart using helm in a Kubernetes cluster
Начало внимание
Before removing the Linkerd add-on component, disable auto-scaling on the side of the BRIX application..
Конец внимание
To delete the Linkerd chart in namespace linkerd, run the following command:
helm uninstall linkerd -n linkerd