Connect a cluster to Calico Cloud Free
This page shows you how to connect your Kubernetes cluster to Calico Cloud Free.
Don't have a cluster ready to connect? Try the Calico Cloud Free quickstart guide to create a cluster locally and connect it to Calico Cloud Free.
Prerequisites
- You have a Kubernetes cluster.
- Your
kubectltool is configured to communicate with your cluster. - If you're working in a restricted network environment, you are able to create allow rules for TCP egress traffic to the Calico Cloud management plane.
- Your
- You installed Calico Open Source 3.30 or later on your cluster.
- If you upgraded from an earlier version of Calico Open Source, you enabled the
Goldmanecustom resource. - Calico Open Source was installed using the operator method. Manifest- and Helm-based installations are not supported.
- If you upgraded from an earlier version of Calico Open Source, you enabled the
- You have an active Calico Cloud Free account. To create an account, go to the Calico Cloud Free sign-up page.
- You are signed in to the Calico Cloud web console.
Connect your cluster
-
From the web console, click the Connect a cluster button on the welcome screen.
-
Follow the prompts to create a name for your cluster and copy a
kubectlcommand to run in your cluster.What's happening in this command?
This command creates three resources in your cluster:
- A
ManagementClusterConnectionresource. This resource specifies the address of the Calico Cloud management cluster. - A
Secretresource (tigera-managed-cluster-connection). This resource provides certificates for secure communication between your cluster and the Calico Cloud management cluster. - A
Secretresource (tigera-voltron-linseed-certs-public). This resource provides certificates for secure communications for the specific components that Calico Cloud uses for log data and observability.
Example of generated kubectl command to connect a cluster to Calico Cloud Freekubectl apply -f - <<EOF
# Once applied to your managed cluster, a deployment is created to establish a secure tcp connection
# with the management cluster.
apiVersion: operator.tigera.io/v1
kind: ManagementClusterConnection
metadata:
name: tigera-secure
spec:
# ManagementClusterAddr should be the externally reachable address to which your managed cluster
# will connect. Valid examples are: "0.0.0.0:31000", "example.com:32000", "[::1]:32500"
managementClusterAddr: "oss-ui-01-management.calicocloud.io:443"
---
apiVersion: v1
kind: Secret
metadata:
name: tigera-managed-cluster-connection
namespace: tigera-operator
type: Opaque
data:
# This is the certificate of the management cluster side of the tunnel.
management-cluster.crt: ...
# The certificate and private key that are created and signed by the CA in the management cluster.
managed-cluster.crt: ...
managed-cluster.key: ...
---
apiVersion: v1
kind: Secret
metadata:
name: tigera-voltron-linseed-certs-public
namespace: tigera-operator
type: Opaque
data:
tls.crt: ...
EOF - A
-
To start the connection process, run the
kubectlcommand in your terminal.Sample outputmanagementclusterconnection.operator.tigera.io/tigera-secure created
secret/tigera-managed-cluster-connection created
secret/tigera-voltron-linseed-certs-public created -
After your run the command, click I applied the manifest to continue.
Verify your connection
- From the web console, click Managed clusters to view a list of managed clusters. If your cluster connected successfully, you'll see its connection status is Connected.
Troubleshooting
Connection status remains Disconnected
Your network environment restricts egress traffic to the Calico Cloud management cluster
If your network environment restricts egress traffic to the Calico Cloud management cluster, you need to create allow rules so your cluster can connect.
You can find the address of the Calico Cloud management cluster in the ManagementClusterAddr field of the ManagementClusterConnection resource:
kubectl get managementclusterconnection tigera-secure -o jsonpath='{.spec.managementClusterAddr}'
You'll see something like this:
oss-ui-01-management.calicocloud.io:443
Make sure your network allows TCP egress traffic to this address.
Next steps
- To try out the observability tools with demo applications, follow the quickstart guide from Step 4. Deploy NGINX and BusyBox to generate traffic.
- Remove a cluster from Calico Cloud Free