Upgrade Calico to Calico Enterprise installed with Helm
All upgrades in Calico Enterprise are free with a valid license.
Prepare your cluster for the upgrade
Calico Enterprise creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.
Upgrade from Calico to Calico Enterprise
The following steps assume the Calico deployment is installed on tigera-operator namespace. Replace with valid namespace otherwise.
-
Get the Helm chart
curl -O -L https://downloads.tigera.io/ee/charts/tigera-operator-v3.19.4-0.tgz -
Install the Calico Enterprise custom resource definitions.
kubectl apply --server-side --force-conflicts -f https://downloads.tigera.io/ee/v3.19.4/manifests/operator-crds.yaml
kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/prometheus-operator-crds.yaml
kubectl create -f https://downloads.tigera.io/ee/v3.19.4/manifests/eck-operator-crds.yaml -
Run the Helm upgrade command for
tigera-operator:helm upgrade calico tigera-operator-v3.19.4-0.tgz \
--set-file imagePullSecrets.tigera-pull-secret=<path/to/pull/secret>,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret=<path/to/pull/secret> \
--namespace tigera-operator -
Wait until the
apiservershows a status ofAvailable, then proceed to the next section. You can monitor progress with the following command:watch kubectl get tigerastatus/apiserver -
Install your Calico Enterprise license.
kubectl create -f </path/to/license.yaml> -
Monitor progress, wait until all components show a status of
Available, then proceed to the next step.watch kubectl get tigerastatusnoteIf there are any problems you can use
kubectl get tigerastatus -o yamlto get more details.