Install Linkered

Linkerd is a dedicated infrastructure layer that facilitates service-to-service communication, automatically encrypts connections, handles retries and timeouts. Installing the Linkerd add-on component ensures balancing of gRPC traffic when scaling ELMA365 services. It also provides telemetry (success rates, latencies), and much more.

Linkerd is a necessary component for enabling support of service scaling on the side of the ELMA365 application. Without Linkerd installed, scaling of ELMA365 microservices will not work.

The installation consists of four steps:

  1. Prepare certificates for Linkerd.
  2. Download the helm chart and configuration file.
  3. Fill out the configuration file.
  4. Install the Linkerd chart using helm in the Kubernetes cluster.

Step 1: Prepare certificates for Linkerd

Generate certificates using OpenSSL with the commands below. Linkerd requires a trust anchor certificate and issuer certificates with the corresponding key to support mutual TLS connections between services. All certificates must use the ECDSA P-256 algorithm.

# Create CA private key
openssl ecparam -name prime256v1 -genkey -noout -out ca-private.pem
# Create CA public key
openssl ec -in ca-private.pem -pubout -out ca-public.pem
# Create self-signed CA certificate
openssl req -x509 -new -key ca-private.pem -days 3650 -out ca.crt -subj "/CN=root.linkerd.cluster.local"
# Create issuer private key
openssl ecparam -name prime256v1 -genkey -noout -out issuer-private.pem
# Create issuer public key
openssl ec -in issuer-private.pem -pubout -out issuer-public.pem
# Create certificate signing request
openssl req -new -key issuer-private.pem -out issuer.csr -subj "/CN=identity.linkerd.cluster.local" -addext basicConstraints=critical,CA:TRUE
# Create issuer certificate by signing the request
openssl x509 \
-extfile /etc/ssl/openssl.cnf \
-extensions v3_ca \
-req \
-in issuer.csr \
-days 3650 \
-CA ca.crt \
-CAkey ca-private.pem \
-CAcreateserial \
-extensions v3_ca \
-out issuer.crt
# Remove certificate signing request
rm issuer.csr

Step 2: Download the helm chart and configuration file

To install via the internet, obtain the values-linkerd.yaml configuration file by executing the command:

helm repo add elma365
helm repo update
helm show values elma365/linkerd > values-linkerd.yaml

Acquiring the configuration file for a closed-loop installation with no internet access

Step 3: Fill out the configuration file

Fill out the values-linkerd.yaml configuration file for installing Linkerd.

Specify the DNS domain name of the Kubernetes cluster in the linkerd.clusterDomain parameter, in this case, cluster.local.

## Linkerd settings
  ## DNS domain name of Kubernetes
  clusterDomain: cluster.local
  ## dds PodSecurityPolicy resource (deprecated starting with k8s v1.21)
  enablePSP: false
  ## disable heartbeat
  disableHeartBeat: false  

To ensure high availability, you may uncomment the parameters in the Parameters for high availability section.

Example of enabling high availability:

## Linkerd settings
## Perameters for high availability
  controllerReplicas: 3
  enablePodDisruptionBudget: true
      maxUnavailable: 1
      maxSurge: 25%
  enablePodAntiAffinity: true
        request: 100m
        limit: 250Mi
        request: 20Mi
  controllerResources: &controller_resources
    cpu: &controller_resources_cpu
      limit: ""
      request: 100m
      limit: 250Mi
      request: 50Mi
  destinationResources: *controller_resources
    cpu: *controller_resources_cpu
      limit: 250Mi
      request: 10Mi
  heartbeatResources: *controller_resources
  proxyInjectorResources: *controller_resources
  webhookFailurePolicy: Fail
  spValidatorResources: *controller_resources

Filling out the connection parameters to the private registry for installation in a closed-loop environment without internet access

Step 4: Install the Linkerd chart using helm in the Kubernetes cluster

Perform the installation of the Linkerd chart in namespace linkerd. The namespace will be created during installation if it was not previously created.

Within the article, the installation command is executed from the directory where the certificates were created in Step 1. If the command is being executed from a different directory, specify the paths to the certificates created in Step 1 (ca.crt, issuer.crt, issuer-private.pem).

For online installation:

helm upgrade --install linkerd elma365/linkerd -f values-linkerd.yaml -n linkerd --create-namespace \
--set-file linkerd.identityTrustAnchorsPEM=ca.crt \
--set-file linkerd.identity.issuer.tls.crtPEM=issuer.crt \
--set-file linkerd.identity.issuer.tls.keyPEM=issuer-private.pem

For offline installation:

helm upgrade --install linkerd ./linkerd -f values-linkerd.yaml -n linkerd --create-namespace \
--set-file linkerd.identityTrustAnchorsPEM=ca.crt \
--set-file linkerd.identity.issuer.tls.crtPEM=issuer.crt \
--set-file linkerd.identity.issuer.tls.keyPEM=issuer-private.pem

Начало внимание

Installing the Linkerd add-on component does not automatically include support for scaling services on the side of the ELMA365 application.

After installation, do not forget to change the ELMA365 application parameters and set up auto-scaling on the side of the ELMA365 application.

Read more about enabling service scaling on the side of the ELMA365 application in Enable service autoscaling in ELMA365 Enterprise.

Конец внимание

Delete Linkerd chart using helm in a Kubernetes cluster

Начало внимание

Before removing the Linkerd add-on component, disable auto-scaling on the side of the ELMA365 application..

Конец внимание

To delete the Linkerd chart in namespace linkerd, run the following command:

helm uninstall linkerd -n linkerd

Found a typo? Highlight the text, press ctrl + enter and notify us