Skip to main content
Version: 3.18 (latest)

Upgrade from Calico to Calico Enterprise

Prerequisites​

Ensure that your Kubernetes cluster is running with open source Calico on the latest release using an operator-based installation. If not, follow the Calico upgrade documentation before continuing.

Calico Enterprise only supports clusters with a Kubernetes datastore. Please contact Tigera Support for assistance upgrading a cluster with an etcdv3 datastore.

If your cluster already has Calico Enterprise installed, follow the Upgrading Calico Enterprise from an earlier release guide instead.

For hybrid Linux and Windows clusters, ensure that your Windows nodes have at least 4 cores, 8GB RAM.

Prepare your cluster for the upgrade​

Calico Enterprise creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.

Upgrade Calico to Calico Enterprise​

note

GKE upgrades from open source Calico are not currently supported.

Before you begin​

Required

Install Calico Enterprise​

  1. Download the new manifests for Tigera operator.

    curl -L -O https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-operator.yaml

  2. Download the new manifests for Prometheus operator.

    note
    If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.
    curl -L -O https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-prometheus-operator.yaml

  3. If you previously installed using a private registry, you will need to push the new images and then update the manifest downloaded in the previous step.

  4. Apply the manifest for Tigera operator.

    kubectl apply --server-side --force-conflicts -f tigera-operator.yaml

  5. If you downloaded the manifests for Prometheus operator from the earlier step, then apply them now.

    kubectl apply --server-side --force-conflicts -f tigera-prometheus-operator.yaml

  6. Install your pull secret.

    If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

    kubectl create secret generic tigera-pull-secret \
      --type=kubernetes.io/dockerconfigjson -n tigera-operator \
      --from-file=.dockerconfigjson=<path/to/pull/secret>

    For the Prometheus operator, create the pull secret in the tigera-prometheus namespace and then patch the deployment.

    kubectl create secret generic tigera-pull-secret \
        --type=kubernetes.io/dockerconfigjson -n tigera-prometheus \
        --from-file=.dockerconfigjson=<path/to/pull/secret>
    kubectl patch deployment -n tigera-prometheus calico-prometheus-operator \
        -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name": "tigera-pull-secret"}]}}}}'

  7. Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.

    kubectl apply -f https://downloads.tigera.io/ee/v3.18.3/manifests/custom-resources-upgrade-from-calico.yaml

Wait until the apiserver shows a status of Available, then proceed to the next section.

note

If there are any problems you can use kubectl get tigerastatus -o yaml to get more details.

Install the Calico Enterprise license​

To use Calico Enterprise, you must install the license provided to you by Tigera.

kubectl create -f </path/to/license.yaml>

You can now monitor progress with the following command:

watch kubectl get tigerastatus

Next steps​