Skip to main content
Calico Enterprise 3.17 documentation

Tanzu Kubernetes Grid (TKG)

Big picture

Install Calico Enterprise on a Tanzu Kubernetes Grid cluster.

Before you begin

CNI support

Calico CNI for networking with Calico Enterprise network policy:

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore

Required

  • A compatible TKG cluster

  • Configure your cluster for Calico Enterprise CNI The workload cluster must be configured with CNI: none. When the workload cluster is bootstrapped, the nodes will be in a NotReady state until Calico Enterprise is installed. For more information, see Tanzu networking and Tanzu configuration file reference.

  • Cluster meets the system requirements

  • A Tigera license key and credentials

  • If using AWS, EC2 instances must be configured to belong to a separate SecurityGroup with ingress rules:

    • Calico (BGP) TCP 179
    • Calico (Typha) TCP 5473
    • Manager UI Prometheus metrics TCP 9081
    • Manager UI BGP metrics TCP 9900

How to

Install Calico Enterprise

  • Configure storage for Calico Enterprise.
    1. Install the Tigera operator and custom resource definitions.

      kubectl create -f https://downloads.tigera.io/ee/v3.17.4/manifests/tigera-operator.yaml
    2. Install the Prometheus operator and related custom resource definitions. The Prometheus operator will be used to deploy Prometheus server and Alertmanager to monitor Calico Enterprise metrics.

      note
      If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.
      kubectl create -f https://downloads.tigera.io/ee/v3.17.4/manifests/tigera-prometheus-operator.yaml
    3. Install your pull secret.

      If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials.

      kubectl create secret generic tigera-pull-secret \
      --type=kubernetes.io/dockerconfigjson -n tigera-operator \
      --from-file=.dockerconfigjson=<path/to/pull/secret>

      For the Prometheus operator, create the pull secret in the tigera-prometheus namespace and then patch the deployment.

      kubectl create secret generic tigera-pull-secret \
      --type=kubernetes.io/dockerconfigjson -n tigera-prometheus \
      --from-file=.dockerconfigjson=<path/to/pull/secret>
      kubectl patch deployment -n tigera-prometheus calico-prometheus-operator \
      -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'
    4. (Optional) If your cluster architecture requires any custom Calico Enterprise resources to function at startup, install them now using calicoctl.
    5. Install the Tigera custom resources. For more information on configuration options available, see the installation reference.

      kubectl create -f https://downloads.tigera.io/ee/v3.17.4/manifests/custom-resources.yaml
    6. You can now monitor progress with the following command:

      watch kubectl get tigerastatus

      Wait until the apiserver shows a status of Available, then proceed to the next section.

    Install Calico Enterprise license

    Install the Calico Enterprise license provided to you by Tigera.

    kubectl create -f </path/to/license.yaml>

    You can now monitor progress with the following command:

    watch kubectl get tigerastatus

    Next steps

    Recommended

    Recommended - Networking

    Recommended - Security