Upgrade Calico to Calico Enterprise installed with Helm
All upgrades in Calico Enterprise are free with a valid license.
Upgrades paths​
Upgrading to Calico Enterprise v3.13 and above, from Calico 3.22 and below is currently unsupported.
Prepare your cluster for the upgrade​
Calico Enterprise creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.
Upgrade from Calico to Calico Enterprise​
The following steps assume the Calico deployment is installed on tigera-operator namespace. Replace with valid namespace otherwise.
Get the Helm chart
curl -O -L https://downloads.tigera.io/ee/charts/tigera-operator-v3.18.3-0.tgzInstall the Calico Enterprise custom resource definitions.
kubectl apply --server-side --force-conflicts -f https://downloads.tigera.io/ee/v3.18.3/manifests/operator-crds.yaml
kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/prometheus-operator-crds.yaml
kubectl create -f https://downloads.tigera.io/ee/v3.18.3/manifests/eck-operator-crds.yamlRun the Helm upgrade command for
tigera-operator:helm upgrade calico tigera-operator-v3.18.3-0.tgz \
--set-file imagePullSecrets.tigera-pull-secret=<path/to/pull/secret>,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret=<path/to/pull/secret> \
--namespace tigera-operatorWait until the
apiservershows a status ofAvailable, then proceed to the next section. You can monitor progress with the following command:watch kubectl get tigerastatus/apiserverInstall your Calico Enterprise license.
kubectl create -f </path/to/license.yaml>Monitor progress, wait until all components show a status of
Available, then proceed to the next step.watch kubectl get tigerastatusnoteIf there are any problems you can use
kubectl get tigerastatus -o yamlto get more details.