Skip to main content
Version: 3.18 (latest)

Install Calico Enterprise on OpenShift

Big picture

Install an OpenShift 4 cluster with Calico Enterprise.

This guide augments the applicable steps in the OpenShift documentation to install Calico Enterprise.

Before you begin

CNI support

Calico CNI for networking with Calico Enterprise network policy

The geeky details of what you get:

PolicyIPAMCNIOverlayRoutingDatastore

Required

How to

  1. Create a configuration file for the OpenShift installer
  2. Update the configuration file to use Calico Enterprise
  3. Generate the install manifests
  4. Add an image pull secret
  5. Provide additional configuration
  6. Create the cluster
  7. Create a storage class
  8. Install the Calico Enterprise license

Create a configuration file for the OpenShift installer

First, create a staging directory for the installation. This directory will contain the configuration file, along with cluster state files, that OpenShift installer will create:

mkdir openshift-tigera-install && cd openshift-tigera-install

Now run OpenShift installer to create a default configuration file:

openshift-install create install-config
note
See the OpenShift installer documentation for more information about the installer and any configuration changes required for your platform.

After the installer finishes, your staging directory will contain the configuration file install-config.yaml.

Update the configuration file to use Calico Enterprise

Override the OpenShift networking to use Calico Enterprise and update the AWS instance types to meet the system requirements:

sed -i 's/\(OpenShiftSDN\|OVNKubernetes\)/Calico/' install-config.yaml
sed -i 's/platform: /platform:\n aws:\n type: m4.xlarge/g' install-config.yaml

Generate the install manifests

Now generate the Kubernetes manifests using your configuration file:

openshift-install create manifests

Download the Calico Enterprise manifests for OpenShift and add them to the generated manifests directory:

mkdir calico
wget -qO- https://downloads.tigera.io/ee/v3.18.1/manifests/ocp.tgz | tar xvz --strip-components=1 -C calico
cp calico/* manifests/

Add an image pull secret

Update the contents of the secret with the image pull secret provided to you by Tigera support representative.

For example, if the secret is located at ~/.docker/config.json, run the following commands.

SECRET=$(cat ~/.docker/config.json | tr -d '\n\r\t ' | base64 -w 0)
sed -i "s/SECRET/${SECRET}/" manifests/02-pull-secret.yaml

Provide additional configuration

To provide additional configuration during installation (for example, BGP configuration or peers), use a Kubernetes ConfigMap with your desired Calico Enterprise resources. If you do not need to provide additional configuration, skip this section.

To include Calico Enterprise resources during installation, edit manifests/02-configmap-calico-resources.yaml in order to add your own configuration.

note

If you have a directory with the Calico Enterprise resources, you can create the file with the command:

kubectl create configmap -n tigera-operator calico-resources \
--from-file=<resource-directory> --dry-run -o yaml \
> manifests/02-configmap-calico-resources.yaml

With recent versions of kubectl it is necessary to have a kubeconfig configured or add --server='127.0.0.1:443' even though it is not used.

note

If you have provided a calico-resources configmap and the tigera-operator pod fails to come up with Init:CrashLoopBackOff, check the output of the init-container with kubectl logs -n tigera-operator -l k8s-app=tigera-operator -c create-initial-resources.

Create the cluster

Start the cluster creation with the following command and wait for it to complete.

openshift-install create cluster

Create a storage class

Calico Enterprise requires storage for logs and reports. Before finishing the installation, you must create a StorageClass for Calico Enterprise.

Install the Calico Enterprise license

In order to use Calico Enterprise, you must install the license provided to you by Tigera support representative. Before applying the license, wait until the Tigera API server is ready with the following command:

watch oc get tigerastatus

Wait until the apiserver shows a status of Available.

After the Tigera API server is ready, apply the license:

oc create -f </path/to/license.yaml>

Install Calico Enterprise resources

Apply the custom resources for enterprise features.

oc create -f https://downloads.tigera.io/ee/v3.18.1/manifests/ocp/tigera-enterprise-resources.yaml

Apply the Calico Enterprise manifests for the Prometheus operator.

note
Complete this step only if you are using the Calico Enterprise Prometheus operator (including adding your own Prometheus operator). Skip this step if you are using BYO Prometheus that you manage yourself.
oc create -f https://downloads.tigera.io/ee/v3.18.1/manifests/ocp/tigera-prometheus-operator.yaml

Create the pull secret in the tigera-prometheus namespace and then patch the Prometheus operator deployment. Use the image pull secret provided to you by Tigera support representative.

oc create secret generic tigera-pull-secret \
--type=kubernetes.io/dockerconfigjson -n tigera-prometheus \
--from-file=.dockerconfigjson=<path/to/pull/secret>
oc patch deployment -n tigera-prometheus calico-prometheus-operator \
-p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'

You can now monitor progress with the following command:

watch oc get tigerastatus

When it shows all components with status Available, proceed to the next step.

(Optional) Apply the full CRDs including descriptions.

oc apply --server-side --force-conflicts -f https://downloads.tigera.io/ee/v3.18.1/manifests/operator-crds.yaml

Next steps

Recommended

Recommended - Networking

Recommended - Security