Skip to main content
Version: 3.18 (latest)

Upgrade from Calico to Calico Enterprise on OpenShift

Prerequisites

Ensure that your Kubernetes cluster is running with open source Calico on the latest release using an operator-based installation. If not, follow the Calico upgrade documentation before continuing.

Ensure your Kubernetes cluster is using the Kubernetes datastore. If you are using an etcdv3 datastore, or the cluster doesn't have a datastore, contact Tigera Support to upgrade the datastore.

Your Kubernetes cluster must not be running in production. Operator-based upgrades from open source Calico are not recommended for production clusters due to limited testing. Also, upgrades are not tested with open source Calico prior to v3.15.

If your cluster already has Calico Enterprise installed, follow the Upgrading Calico Enterprise from an earlier release guide instead.

Prepare your cluster for the upgrade

Calico Enterprise creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.

Upgrade Calico to Calico Enterprise

Before you begin

Required

Install Calico Enterprise

Download the new manifests

Make the manifests directory.

mkdir manifests

Download the Calico Enterprise manifests for OpenShift and add them to the generated manifests directory:

mkdir calico
wget -qO- https://downloads.tigera.io/ee/v3.18.1/manifests/ocp.tgz | tar xvz --strip-components=1 -C calico --exclude=01-cr-*
cp calico/* manifests/

Add an image pull secret

Update the contents of the secret with the image pull secret provided to you by Tigera support representative.

For example, if the secret is located at ~/.docker/config.json, run the following commands.

SECRET=$(cat ~/.docker/config.json | tr -d '\n\r\t ' | base64 -w 0)
sed -i "s/SECRET/${SECRET}/" manifests/02-pull-secret.yaml

(Optional) If your cluster architecture requires any custom Calico Enterprise resources to function at startup, install them now using calicoctl.

Install Calico Enterprise

  1. Apply the Tigera operators and custom resource definitions.

    oc apply --server-side --force-conflicts -f manifests/
  2. (Optional) If your cluster architecture requires any custom Calico resources to function at startup, install them now using calicoctl.

  3. Create the custom resources for Calico Enterprise features, see the installation reference.

    oc apply -f https://downloads.tigera.io/ee/v3.18.1/manifests/ocp/tigera-enterprise-resources.yaml
  4. Patch installation.

    oc patch installations.operator.tigera.io default --type merge -p '{"spec":{"variant":"TigeraSecureEnterprise","imagePullSecrets":[{"name":"tigera-pull-secret"}]}}'
  5. You can now monitor the upgrade progress with the following command:

    watch oc get tigerastatus

Wait until the apiserver shows a status of Available, then proceed to the next section.

note

To troubleshoot problems, use oc get tigerastatus -o yaml.

Install the Calico Enterprise license

Install the Calico Enterprise license provided to you by Tigera.

oc create -f </path/to/license.yaml>

Apply the Calico Enterprise manifests for the Prometheus operator.

note
Complete this step only if you are using the Calico Enterprise Prometheus operator (including adding your own Prometheus operator). Skip this step if you are using BYO Prometheus that you manage yourself.
oc apply -f https://downloads.tigera.io/ee/v3.18.1/manifests/ocp/tigera-prometheus-operator.yaml

Create the pull secret in the tigera-prometheus namespace and then patch the Prometheus operator deployment. Use the image pull secret provided to you by Tigera support representative.

oc patch deployment -n tigera-prometheus calico-prometheus-operator \
-p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'

You can now monitor progress with the following command:

watch oc get tigerastatus