Skip to main content
Version: 3.17 (latest)


Big picture

Install Calico Enterprise on a Kubernetes cluster using Helm 3.


Helm charts are a way to package up an application for Kubernetes (similar to apt or yum for operating systems). Helm is also used by tools like ArgoCD to manage applications in a cluster, taking care of install, upgrade (and rollback if needed), etc.

Before you begin



  • If you bring your own Prometheus operator and omit the Tigera Prometheus operator from our Helm chart during installation, make sure that it is running before you install Calico Enterprise.

Not Supported

  • Multi-cluster management (mcm)


Operator based installation

In this guide, you install the Tigera Calico operator and custom resource definitions using the Helm 3 chart. The Tigera operator provides lifecycle management for Calico Enterprise exposed via the Kubernetes API defined as a custom resource definition.

How to

Download the Helm chart

  1. Get the Helm chart:

    curl -O -L

Customize the Helm chart

If you are installing on a cluster installed by EKS, GKE, AKS or Mirantis Kubernetes Engine (MKE), or you need to customize TLS certificates, you must customize this Helm chart by creating a values.yaml file. Otherwise, you can skip this step.

  1. If you are installing on a cluster installed by EKS, GKE, AKS or Mirantis Kubernetes Engine (MKE), set the kubernetesProvider as described in the Installation reference. For example:

  2. echo '{ installation: {kubernetesProvider: EKS }}' > values.yaml

    For Azure AKS cluster with no Kubernetes CNI pre-installed, create values.yaml with the following command:

    cat > values.yaml <<EOF
    kubernetesProvider: AKS
    type: Calico
    bgp: Disabled
    - cidr:
    encapsulation: VXLAN
  3. Add any other customizations you require to values.yaml. You might like to refer to the helm docs or run:

  4. helm show values ./tigera-operator-v3.17.3-0.tgz

Install Calico Enterprise

  1. Configure a storage class for Calico Enterprise

  2. Create the tigera-operator namespace:

    kubectl create namespace tigera-operator
  3. Install the Tigera Calico Enterprise operator and custom resource definitions using the Helm chart, and passing in your image pull secrets

    helm install calico-enterprise tigera-operator-v3.17.3-0.tgz \
    --set-file imagePullSecrets.tigera-pull-secret=<path/to/pull/secret>,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret=<path/to/pull/secret> \
    --namespace tigera-operator

    or if you created a values.yaml above:

    helm install calico-enterprise tigera-operator-v3.17.3-0.tgz -f values.yaml \
    --set-file imagePullSecrets.tigera-pull-secret=<path/to/pull/secret>,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret=<path/to/pull/secret> \
    --namespace tigera-operator
  4. Monitor progress, wait until apiserver shows a status of Available, then proceed to the next step.

    watch kubectl get tigerastatus/apiserver
  5. Install your Calico Enterprise license:

    kubectl apply -f </path/to/license.yaml>
  6. You can now monitor progress with the following command:

    watch kubectl get tigerastatus
  7. Congratulations! You have now installed Calico Enterprise using the Helm 3 chart.

Next steps

Multicluster Management


Recommended - Networking

Recommended - Security