Install Calico Cloud as part of an automated workflow
You can connect clusters to Calico Cloud as part of an automated workflow, using persistent client credentials and customized Helm charts.
Prerequisites
- You have an active Calico Cloud account. You can sign up for a 14-day free trial at calicocloud.io.
- You are signed in to the Calico Cloud Manager UI as a user with the Owner or Admin, role.
- You have at least one cluster that meets our system requirements.
- You have kubectl access to the cluster.
- You have installed Helm 3.0 or later on your workstation.
Create client credentials
Create client credentials and generate a Kubernetes secret to use for automated Helm installations.
- Select the user icon ** > Settings**.
- Under the Client Credentials tab, click Add Client Credential
- In the Add Client Credential dialog, enter a name and click Create. Your new client credential will appear in the list on the Manage Client Credentials page.
- Locate the newly created client credential in the list and select Action > Manage keys > Add Key
- Enter a name, choose how long the key will be valid, and click Create key.
- Click Download to download the
<key-name>.yaml
secret file and store it in a secure location. You will not be able to retrieve this secret again.
To ensure that you always have a valid key, you should transition to a second key before the first key expires. Create a second key, download the secret, and then replace copies of the secret file for the first key with the secret file for the second key. When all the secrets from the first key have been replaced, you can safely delete the first key from the Client Credentials page. When the key is deleted, all API requests based on that key will be rejected.
About customizing your Helm installation
You can customize your Calico Cloud installation for the following purposes:
- to enable or disable certain features
- to modify pod scheduling and resource management
To do this, you can either edit the default values.yaml
file or pass individual key-value pairs using the --set
flag for the helm upgrade
command.
Required parameters
The following paramaters are required for all Calico Cloud installations.
Parameter | Value | Example | Description |
---|---|---|---|
installer.clusterName | string | cluster-name | The name given to your managed cluster in Calico Cloud. |
installer.calicoCloudVersion | string | v20.3.0 | The version of Calico Cloud you're installing. |
installer:
clusterName: example-cluster
calicoCloudVersion: v20.3.0
Optional parameters for private registries
If you're using a private registry, you must set the following parameters.
Parameter | Value | Example | Description |
---|---|---|---|
installer.registry | string | registry-name | The name given to your managed cluster in Calico Cloud. |
installer.imagePath | string | image-path | The version of Calico Cloud you're installing. |
imagePullSecrets.name | string | secret-name | The version of Calico Cloud you're installing. |
Optional parameters for features
The following parameters enable certain features in Calico Cloud.
These features can be enabled or diabled only by setting them in your values.yaml
file at installation.
Feature name | Parameter | Values |
---|---|---|
Image Assurance | installer.components.imageAssurance.state | Enabled (default), Disabled |
Container Threat Detection | installer.components.runtimeSecurity.state | Enabled , Disabled (default) |
Security Posture Dashboard | installer.components.securityPosture.state | Enabled (default), Disabled |
Packet Capture | installer.components.packetCaptureAPI.state | Enabled , Disabled (default) |
Compliance Reports | installer.components.compliance.enabled | true (default), false |
If you're upgrading from Calico Cloud 19 or earlier, the Container Threat Detection and Packet Capture features will remain enabled unless you explicitly set them to Disabled
.
Optional parameters for pod scheduling and resource management
For many Calico Cloud components, you can specify node selectors, tolerations, and resource requests and limits.
The full list of Calico Cloud components is available in the default values.yaml
file.
Helm may overwrite previous customizations of custom resource fields available under the installer.components
Helm parameter.
For installer.components
, you should define all your values.yaml
customizations to be sure nothing is lost during Calico Cloud upgrades and reinstalls.
Prepare your values.yaml with customizations
Prerequisites
- You reviewed the information about available customizations in About customizing your Helm installation.
- If you're installing from a private registry, you added the Calico Cloud images to a private registry, and you have the following information about the registry:
- Registry secret name
note
If your private registry requires credentials, create a
calico-cloud
namespace on your cluster. Then, create an image pull secret and use this name for the Registry Secret Name. - Image registry
- Image path
- Registry secret name
-
Add the Calico Cloud Helm repository to your local client:
helm repo add calico-cloud https://installer.calicocloud.io/charts --force-update
-
Save the default values definitions to your workstation so you can edit them locally:
helm show values calico-cloud/calico-cloud > <custom-values>.yaml
All editable values are provided in the default values definitions.
-
Add values for the required parameters,
install.clusterName
andinstall.calicoCloudVersion
.Example from values.yaml file with clusterName and calicoCloudVersioninstaller:
clusterName: example-cluster
calicoCloudVersion: v20.3.0 -
Add values for the optional parameters. For each resource you want to edit, uncomment the object, add a value, and save.
Example from values.yaml file with compliance reports disabledinstaller:
components:
compliance:
enabled: false
Install Calico Cloud as part of an automated workflow
You can install Calico Cloud using repeatable kubectl or Helm commands together with valid client credentials. These commands can be added to any automated workflow.
Prerequisites
- You have generated a set of client credentials and you know the path to your secret.
- You have a
values.yaml
file with your customizations.
-
Add the Calico Cloud Helm repository to your local client.
helm repo add calico-cloud https://installer.calicocloud.io/charts --force-update
-
Add the Calico Cloud custom resource definitions:
helm upgrade --install calico-cloud-crds calico-cloud/calico-cloud-crds \
--namespace calico-cloud \
--create-namespace -
Apply the client credentials secret to your cluster.
kubectl apply -f <key-name.yaml>
importantYou should keep track of this with a secret management system.
-
Apply the Calico Cloud installer custom resource with your customizations in the
values.yaml
file.helm upgrade --install calico-cloud calico-cloud/calico-cloud \
--namespace calico-cloud \
-f <custom-values>.yaml