Upgrade Calico to Calico Enterprise installed with Helm
All upgrades in Calico Enterprise are free with a valid license.
Prepare your cluster for the upgrade​
Calico Enterprise creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.
Upgrade from Calico to Calico Enterprise​
The following steps assume the Calico deployment is installed on tigera-operator
namespace. Replace with valid namespace otherwise.
-
Get the Helm chart
curl -O -L https://downloads.tigera.io/ee/charts/tigera-operator-v3.21.0-1.0-0.tgz
-
Install the Calico Enterprise custom resource definitions.
kubectl apply --server-side --force-conflicts -f https://downloads.tigera.io/ee/v3.21.0-1.0/manifests/operator-crds.yaml
kubectl create -f https://downloads.tigera.io/ee/v3.21.0-1.0/manifests/prometheus-operator-crds.yaml
kubectl create -f https://downloads.tigera.io/ee/v3.21.0-1.0/manifests/eck-operator-crds.yaml -
Run the Helm upgrade command for
tigera-operator
:helm upgrade calico tigera-operator-v3.21.0-1.0-0.tgz \
--set-file imagePullSecrets.tigera-pull-secret=<path/to/pull/secret>,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret=<path/to/pull/secret> \
--namespace tigera-operator -
Wait until the
apiserver
shows a status ofAvailable
, then proceed to the next section. You can monitor progress with the following command:watch kubectl get tigerastatus/apiserver
-
Install your Calico Enterprise license.
kubectl create -f </path/to/license.yaml>
-
Monitor progress, wait until all components show a status of
Available
, then proceed to the next step.watch kubectl get tigerastatus
noteIf there are any problems you can use
kubectl get tigerastatus -o yaml
to get more details.