Skip to main content
Calico Enterprise 3.20 (latest) documentation

Install Calico Enterprise on an OpenShift HCP cluster

Big picture

Install Calico Enterprise on an OpenShift Hosted Control Planes (HCP) cluster.

Value

Provides steps to install Calico Enterprise in OpenShift Hosted Control Planes (HCP) clusters using the HyperShift middleware, augmenting the steps in the HyperShift documentation where appropriate.

Before you begin

  • Ensure that your environment meets the Calico Enterprise system requirements.

  • Ensure that you have a RedHat account. A RedHat account is required to get the pull secret necessary to provision an OpenShift cluster. Note that the OpenShift installer supports a subset of AWS regions.

  • If installing on AWS, ensure that you have:

    • Configured an AWS account appropriate for OpenShift 4
    • Set up your AWS credentials
    • Generated a local SSH private key and added it to your ssh-agent

  • Install the HyperShift CLI and fulfill all the other Prerequisites from the HyperShift documentation.

How to

Create the hosting cluster

Deploy an OpenShift cluster with Calico Enterprise. This will be the hosting cluster with control-plane nodes for all hosted clusters you deploy with the steps below. Set up your KUBECONFIG environment variable to your hosting cluster's kubeconfig file:

export KUBECONFIG=/path/to/kubeconfig

Install the HyperShift operator in the hosting cluster

Follow the steps from the HyperShift documentation to Install the HyperShift Operator.

Create a hosted cluster

Create a hosted cluster with Calico Enterprise by going through the following steps (slightly modified from the HyperShift docs).

  1. Create a HostedCluster and set its HostedCluster.spec.networking.networkType to Other:
note

Make sure to adjust the variables for the command below to the correct values for your cluster, credentials and environment.

HOSTED_CLUSTER_NAME=my-os-hosted-cluster
REGION=us-west-2
BASE_DOMAIN=www.example.com
AWS_CREDS="$HOME/.aws/credentials"
PULL_SECRET="$HOME/.secrets/redhat-pull-secret.txt"

hypershift create cluster aws \
  --name $HOSTED_CLUSTER_NAME \
  --node-pool-replicas=3 \
  --base-domain $BASE_DOMAIN \
  --pull-secret $PULL_SECRET \
  --aws-creds $AWS_CREDS \
  --region $REGION \
  --generate-ssh \
  --network-type Other
note

If your hosted cluster is having authorization problems with your Red Hat pull secret (unauthorized: authentication required in the HyperShift operator pod logs), make sure it is using a stable release image for the OpenShift Container Platform (OCP). You can find them in [https://amd64.ocp.releases.ci.openshift.org], for example --release-image quay.io/openshift-release-dev/ocp-release:4.16.4-x86_64

note

There is currently an issue with the HyperShift middleware that will result in the hosted cluster installation not progressing due to a missing OVNSbDb service. Patch the hosted cluster resource in order to add it:

HOSTED_CLUSTER_NAME=my-os-hosted-cluster
CLUSTER_NS="clusters"
oc patch -n ${CLUSTER_NS} hostedcluster ${HOSTED_CLUSTER_NAME} --type='json' -p '[{"op": "add", "path": "/spec/services/-", "value": {"service":"OVNSbDb","servicePublishingStrategy": {"type": "Route"}}}]'

Once the hosted cluster is up, use the hypershift CLI tool to generate the kubeconfig file:

hypershift create kubeconfig > hosted_kubeconfig && export KUBECONFIG=$(pwd)/hosted_kubeconfig

Then, copy the aws-creds secret from the hosting cluster to the hosted cluster. Run this using the hosting cluster kubeconfig to extract the secret to a yaml file:

oc get secrets --kubeconfig /path/to/hosting/kubeconfig -n kube-system aws-creds -o yaml > aws-creds.yaml

Then import it in the hosted cluster:

oc apply --kubeconfig /path/to/hosted/kubeconfig -f aws-creds.yaml
note

There is no need to specify the --kubeconfig CLI argument if the hosted cluster's kubeconfig file is configured as the KUBECONFIG environment variable in your shell.

Create a storage class

Calico Enterprise requires storage for logs and reports. Before finishing the installation, you must create a StorageClass for Calico Enterprise.

Download the Calico Enterprise install manifests

Now download and apply the Calico Enterprise manifests according to the HyperShift docs.

Download the Calico Enterprise manifests for OpenShift:

mkdir calico
wget -qO- https://downloads.tigera.io/ee/v3.20.1/manifests/ocp.tgz | tar xvz --strip-components=1 -C calico

Add an image pull secret

Update the contents of the secret with the image pull secret provided to you by a Tigera support representative.

For example, if the secret is located at ~/.docker/config.json, run the following commands.

SECRET=$(cat ~/.docker/config.json | tr -d '\n\r\t ' | base64 -w 0)
sed -i "s/SECRET/${SECRET}/" calico/02-pull-secret.yaml

Optionally provide additional configuration

You may want to provide Calico with additional configuration at install-time. For example, BGP configuration or peers. You can use a Kubernetes ConfigMap with your desired Calico resources to set configuration as part of the installation. If you do not need to provide additional configuration, you can skip this section.

To include Calico resources during installation, edit calico_hosted/02-configmap-calico-resources.yaml to add your own configuration.

note

If you have a directory with the Calico resources, you can create the file with the command:

oc create configmap -n tigera-operator calico-resources \
--from-file=<resource-directory> --dry-run -o yaml \
calico/02-configmap-calico-resources.yaml

With recent versions of oc it is necessary to have a kubeconfig configured or add --server='127.0.0.1:443' even though it is not used.

note

If you have provided a calico-resources configmap and the tigera-operator pod fails to come up with Init:CrashLoopBackOff, check the output of the init-container with oc logs -n tigera-operator -l k8s-app=tigera-operator -c create-initial-resources.

Apply the Calico Enterprise install manifests

Apply the install manifests paying attention to the required order:

cd calico/
ls 00*.yaml | xargs -n1 oc apply -f
ls 01*.yaml | xargs -n1 oc apply -f
ls 02*.yaml | xargs -n1 oc apply -f

Install the Calico Enterprise license

In order to use Calico Enterprise, you must install the license provided to you by Tigera support representative. Before applying the license, wait until the Tigera API server is ready with the following command:

watch oc get tigerastatus

Wait until the apiserver shows a status of Available.

After the Tigera API server is ready, apply the license:

oc create -f </path/to/license.yaml>

Install Calico Enterprise resources

Apply the custom resources for enterprise features.

oc create -f https://downloads.tigera.io/ee/v3.20.1/manifests/ocp/tigera-enterprise-resources.yaml

Apply the Calico Enterprise manifests for the Prometheus operator.

note
Complete this step only if you are using the Calico Enterprise Prometheus operator (including adding your own Prometheus operator). Skip this step if you are using BYO Prometheus that you manage yourself.
oc create -f https://downloads.tigera.io/ee/v3.20.1/manifests/ocp/tigera-prometheus-operator.yaml

You can now monitor progress with the following command:

watch oc get tigerastatus

When it shows all components with status Available, proceed to the next step.

(Optional) Apply the full CRDs including descriptions.

oc apply --server-side --force-conflicts -f https://downloads.tigera.io/ee/v3.20.1/manifests/operator-crds.yaml

Next steps

Recommended

Recommended - Networking

Recommended - Security