Upgrade from Calico to Calico Enterprise on OpenShift
Prerequisites​
Ensure that your Kubernetes cluster is running with open source Calico on the latest release using an operator-based installation. If not, follow the Calico upgrade documentation before continuing.
Ensure your Kubernetes cluster is using the Kubernetes datastore. If you are using an etcdv3 datastore, or the cluster doesn't have a datastore, contact Tigera Support to upgrade the datastore.
Your Kubernetes cluster must not be running in production. Operator-based upgrades from open source Calico are not recommended for production clusters due to limited testing. Also, upgrades are not tested with open source Calico prior to v3.15.
If your cluster already has Calico Enterprise installed, follow the Upgrading Calico Enterprise from an earlier release guide instead.
Prepare your cluster for the upgrade​
Calico Enterprise creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.
Upgrade Calico to Calico Enterprise​
Before you begin​
Required
Install Calico Enterprise​
Download the new manifests
Make the manifests directory.
mkdir manifests
Download the Calico Enterprise manifests for OpenShift and add them to the generated manifests directory:
mkdir calico
wget -qO- https://downloads.tigera.io/ee/v3.18.3/manifests/ocp.tgz | tar xvz --strip-components=1 -C calico --exclude=01-cr-*
cp calico/* manifests/
Add an image pull secret
Update the contents of the secret with the image pull secret provided to you by Tigera support representative.
For example, if the secret is located at ~/.docker/config.json, run the following commands.
SECRET=$(cat ~/.docker/config.json | tr -d '\n\r\t ' | base64 -w 0)
sed -i "s/SECRET/${SECRET}/" manifests/02-pull-secret.yaml
(Optional) If your cluster architecture requires any custom Calico Enterprise resources to function at startup, install them now using calicoctl.
Install Calico Enterprise
Apply the Tigera operators and custom resource definitions.
oc apply --server-side --force-conflicts -f manifests/(Optional) If your cluster architecture requires any custom Calico resources to function at startup, install them now using calicoctl.
Create the custom resources for Calico Enterprise features, see the installation reference.
oc apply -f https://downloads.tigera.io/ee/v3.18.3/manifests/ocp/tigera-enterprise-resources.yamlPatch installation.
oc patch installations.operator.tigera.io default --type merge -p '{"spec":{"variant":"TigeraSecureEnterprise","imagePullSecrets":[{"name":"tigera-pull-secret"}]}}'You can now monitor the upgrade progress with the following command:
watch oc get tigerastatus
Wait until the apiserver shows a status of Available, then proceed to the next section.
To troubleshoot problems, use oc get tigerastatus -o yaml.
Install the Calico Enterprise license​
Install the Calico Enterprise license provided to you by Tigera.
oc create -f </path/to/license.yaml>
Apply the Calico Enterprise manifests for the Prometheus operator.
oc apply -f https://downloads.tigera.io/ee/v3.18.3/manifests/ocp/tigera-prometheus-operator.yaml
Create the pull secret in the tigera-prometheus namespace and then patch the Prometheus operator deployment. Use the image pull secret provided to you by Tigera support representative.
oc patch deployment -n tigera-prometheus calico-prometheus-operator \
-p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'
You can now monitor progress with the following command:
watch oc get tigerastatus