Skip to main content
Calico Enterprise 3.21 (latest) documentation

Upgrade Calico to Calico Enterprise installed with Helm

note

All upgrades in Calico Enterprise are free with a valid license.

Prepare your cluster for the upgrade

Calico Enterprise creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.

Deleting Goldmane and Whisker resources (for upgrades from Calico 3.30 or later)

If you are upgrading from Calico 3.30 and have custom resources related to Goldmane and Whisker, you should delete these resources before the upgrade.

kubectl delete goldmanes,whiskers --all

If you receive error indicating the custom resource definitions or resource type does not exist, it means these resources were not present in your cluster. You can safely ignore the error and proceed.

Upgrade from Calico to Calico Enterprise

note

The following steps assume the Calico deployment is installed on tigera-operator namespace. Replace with valid namespace otherwise.

  1. Get the Helm chart

    curl -O -L https://downloads.tigera.io/ee/charts/tigera-operator-v3.21.2-0.tgz

  2. Install the Calico Enterprise custom resource definitions.

    kubectl apply --server-side --force-conflicts -f https://downloads.tigera.io/ee/v3.21.2/manifests/operator-crds.yaml
    kubectl create -f https://downloads.tigera.io/ee/v3.21.2/manifests/prometheus-operator-crds.yaml
    kubectl create -f https://downloads.tigera.io/ee/v3.21.2/manifests/eck-operator-crds.yaml

  3. Configure a storage class for Calico Enterprise

  4. Run the Helm upgrade command for tigera-operator:

    helm upgrade calico tigera-operator-v3.21.2-0.tgz \
    --set-file imagePullSecrets.tigera-pull-secret=<path/to/pull/secret>,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret=<path/to/pull/secret> \
    --namespace tigera-operator

  5. Wait until the apiserver shows a status of Available, then proceed to the next section. You can monitor progress with the following command:

    watch kubectl get tigerastatus/apiserver

  6. Install your Calico Enterprise license.

    kubectl create -f </path/to/license.yaml>

  7. Monitor progress, wait until all components show a status of Available, then proceed to the next step.

    watch kubectl get tigerastatus
    note

    If there are any problems you can use kubectl get tigerastatus -o yaml to get more details.

Next steps