Installing Linkerd with Helm

    The identity component of Linkerd requires setting up a trust anchorcertificate, and an issuer certificate with its key. These need to be providedto Helm by the user (unlike when using the linkerd install CLI which cangenerate these automatically). You can provide your own, or follow theseinstructions to generate new ones.

    Adding Linkerd’s Helm repository

    The following instructions use the linkerd repo. For installing an edgerelease, just replace with linkerd-edge.

    1. # set expiry date one year from now, in Mac:
    2. exp=$(date -v+8760H +"%Y-%m-%dT%H:%M:%SZ")
    3. # in Linux:
    5. helm install \
    6.   --name=linkerd2 \
    7.   --set-file Identity.TrustAnchorsPEM=ca.crt \
    8.   --set-file Identity.Issuer.TLS.CrtPEM=issuer.crt \
    9.   --set-file Identity.Issuer.TLS.KeyPEM=issuer.key \
    10.   --set Identity.Issuer.CrtExpiry=$exp \

    The chart values will be picked from the chart’s values.yaml file.

    Setting High-Availability

    The chart contains a file values-ha.yaml that overrides somedefault values as to set things up under a high-availability scenario, analogousto the —ha option in linkerd install. Values such as higher number ofreplicas, higher memory/cpu limits and affinities are specified in that file.

    You can get ahold of values-ha.yaml by fetching the chart files:

    Then use the -f flag to provide the override file, for example:

    1. ## see above on how to set $exp
    2.   --name=linkerd2 \
    3.   --set-file Identity.TrustAnchorsPEM=ca.crt \
    4.   --set-file Identity.Issuer.TLS.CrtPEM=issuer.crt \
    6.   --set Identity.Issuer.CrtExpiry=$exp \
    7.   -f linkerd2/values-ha.yaml \
    8.   linkerd/linkerd2

    By default, the chart creates the control plane namespace with theconfig.linkerd.io/admission-webhooks: disabled label. It is required for thecontrol plane to work correctly. This means that the chart won’t work withHelm v2’s —namespace option. If you’re relying on a separate tool to createthe control plane namespace, make sure that:

    • The namespace is labeled with linkerd.io/admission-webhooks: disabled
    • The InstallNamespace is set to false

    NoteIn Helm v3 the —namespace option must be used with an existing namespace.

    Helm upgrade procedure

    Make sure your local Helm repos are updated:

    1. helm upgrade linkerd2 linkerd/linkerd2 --reuse-values