Upgrade from Calico to Calico Enterprise

Prerequisites

Ensure that your Kubernetes cluster is running with open source Calico on the latest release using an operator-based installation. If not, follow the Calico upgrade documentation before continuing.

Calico Enterprise only supports clusters with a Kubernetes datastore. Please contact Tigera Support for assistance upgrading a cluster with an etcdv3 datastore.

If your cluster already has Calico Enterprise installed, follow the Upgrading Calico Enterprise from an earlier release guide instead.

For hybrid Linux and Windows clusters, ensure that your Windows nodes have at least 4 cores, 8GB RAM.

Prepare your cluster for the upgrade

Calico Enterprise creates default-deny policies for all Calico and Tigera namespaces, including calico-system. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.

Upgrade Calico to Calico Enterprise

note

GKE upgrades from open source Calico are not currently supported.

Before you begin

Required

• Configure a storage class for Calico Enterprise.

Install Calico Enterprise

Kubernetes

1. Download the new manifests for Tigera operator.

   curl -L -O https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-operator.yaml

2. Download the new manifests for Prometheus operator.

   note

   If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.

   curl -L -O https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-prometheus-operator.yaml

3. If you previously installed using a private registry, you will need to push the new images and then update the manifest downloaded in the previous step.

4. Apply the manifest for Tigera operator.

   kubectl apply --server-side --force-conflicts -f tigera-operator.yaml

5. If you downloaded the manifests for Prometheus operator from the earlier step, then apply them now.

   kubectl apply --server-side --force-conflicts -f tigera-prometheus-operator.yaml

6. Install your pull secret.

   If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

   kubectl create secret generic tigera-pull-secret \
     --type=kubernetes.io/dockerconfigjson -n tigera-operator \
     --from-file=.dockerconfigjson=<path/to/pull/secret>

7. Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.

   kubectl apply -f https://downloads.tigera.io/ee/v3.19.4/manifests/custom-resources-upgrade-from-calico.yaml

EKS

1. Download the new manifests for Tigera operator.

   curl -L -O https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-operator.yaml

2. Download the new manifests for Prometheus operator.

   note

   If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.

   curl -L -O https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-prometheus-operator.yaml

3. If you previously installed using a private registry, you will need to push the new images and then update the manifest downloaded in the previous step.

4. Apply the manifest for Tigera operator.

   kubectl apply --server-side --force-conflicts -f tigera-operator.yaml

5. If you downloaded the manifests for Prometheus operator from the earlier step, then apply them now.

   kubectl apply --server-side --force-conflicts -f tigera-prometheus-operator.yaml

6. Install your pull secret.

   If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

   kubectl create secret generic tigera-pull-secret \
     --type=kubernetes.io/dockerconfigjson -n tigera-operator \
     --from-file=.dockerconfigjson=<path/to/pull/secret>

7. Install the Tigera custom resources. For more information on configuration options available in this manifest, see the installation reference.

   kubectl apply -f https://downloads.tigera.io/ee/v3.19.4/manifests/eks/custom-resources-upgrade-from-calico.yaml

AKS

note

The following instructions are only for AKS clusters that use a Kubernetes reconciler. For AKS clusters with a self-managed Calico installation (including AKS clusters with Calico CNI), or a cluster that is not using a reconciler, follow the upgrade steps under the Kubernetes tab.

These upgrade instructions will upgrade your AKS clusters with Azure CNI and an AKS-managed Calico installation.

1. Switch the active operator to the one that will be installed to the new namespace. First, download the helper script:

   curl -L -O https://docs.tigera.io/calico-enterprise/3.19/scripts/switch-active-operator.sh

   Then switch the active operator. This will deactivate the currently running operator.

   chmod a+x ./switch-active-operator.sh
   ./switch-active-operator.sh tigera-operator-enterprise

2. Download the new manifests for Tigera operator.

   curl -L -o tigera-operator.yaml https://downloads.tigera.io/ee/v3.19.4/manifests/aks/tigera-operator-upgrade.yaml

3. Download the new manifests for Prometheus operator.

   note

   If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.

   curl -L -O https://downloads.tigera.io/ee/v3.19.4/manifests/tigera-prometheus-operator.yaml

4. If you previously installed using a private registry, you will need to push the new images and then update the manifest downloaded in the previous step.

5. Apply the manifest for Tigera operator.

   kubectl apply --server-side --force-conflicts -f tigera-operator.yaml

6. If you downloaded the manifests for Prometheus operator from the earlier step, then apply them now.

   kubectl apply --server-side --force-conflicts -f tigera-prometheus-operator.yaml

7. Install your pull secret.

   If pulling images directly from quay.io/tigera, you will likely want to use the credentials provided to you by your Tigera support representative. If using a private registry, use your private registry credentials instead.

   kubectl create secret generic tigera-pull-secret \
     --type=kubernetes.io/dockerconfigjson -n tigera-operator-enterprise \
     --from-file=.dockerconfigjson=<path/to/pull/secret>

8. Download the custom resources manifest.

   curl -L -o custom-resources.yaml https://downloads.tigera.io/ee/v3.19.4/manifests/aks/custom-resources-upgrade-from-calico.yaml

9. If you are installing using a private registry, you will need to update the manifest downloaded in the previous step. Update the spec.registry, spec.imagePath, and spec.imagePrefix fields of the installation resource with the registry name, image path, and image prefix of your private registry.

10. Apply the Tigera custom resources manifest. For more information on configuration options available in this manifest, see the installation reference.

    kubectl apply -f custom-resources.yaml

Wait until the apiserver shows a status of Available, then proceed to the next section.

note

If there are any problems you can use kubectl get tigerastatus -o yaml to get more details.

Install the Calico Enterprise license

To use Calico Enterprise, you must install the license provided to you by Tigera.

kubectl create -f </path/to/license.yaml>

You can now monitor progress with the following command:

watch kubectl get tigerastatus

Next steps

• Configure access to Calico Enterprise Manager UI
• Authentication quickstart