Upgrade Calico Enterprise installed with the operator

note

All upgrades in Calico Enterprise are free with a valid license.

Upgrades paths

You can upgrade your cluster to a maximum of two releases from your existing version. For example, if you are on version 3.6, you can upgrade to 3.7, or you can upgrade directly to 3.8. However, you cannot upgrade beyond two releases; upgrading from 3.6 to 3.9 (three releases) is not supported.

If you are several versions behind where you want to be, you must go through each group of two releases to get there. For example, if you are on version 3.6, and you want to get to 3.10, you can upgrade to 3.8, then upgrade from 3.8 directly to 3.10.

note

Always check the Release Notes for exceptions; limitations can override the above pattern.

Prerequisites

Verify that your Kubernetes cluster is using a version of Calico Enterprise installed with the operator, by running kubectl get tigerastatus. If the result is successful, then your installation is using the operator.

If your cluster is on a version earlier than 2.6 or does not use the operator, contact Tigera support to upgrade.

If your cluster has a Calico installation, contact Tigera support to upgrade.

Prepare your cluster for the upgrade

During the upgrade the controller that manages Elasticsearch is updated. Because of this, the Calico Enterprise LogStorage CR is temporarily removed during upgrade. Features that depend on LogStorage are temporarily unavailable, among which are the dashboards in the Manager UI. Data ingestion is temporarily paused and will continue when the LogStorage is up and running again.

To retain data from your current installation (optional), ensure that the currently mounted persistent volumes have their reclaim policy set to retain data. Retaining data is only recommended for users that use a valid Elastic license. Trial licenses can get invalidated during the upgrade.

Default Deny

Calico Enterprise creates a default-deny for the calico-system namespace. If you deploy workloads into the calico-system namespace, you must create policy that allows the required traffic for your workloads prior to upgrade.

Windows

If your cluster has Windows nodes and uses custom TLS certificates for log storage, prior to upgrade, prepare and apply new certificates for log storage that include the required service DNS names.

For AKS only, upgrades beginning from Calico Enterprise v3.11.2 to a newer version will automatically upgrade Calico Enterprise for Windows. During the upgrade, Windows nodes will be tainted so new pods will not be scheduled until the upgrade of the node has finished. The Calico Enterprise for Windows upgrade status can be monitored with: kubectl get tigerastatus calico -oyaml

For all other platforms or versions older than v3.11.2, upgrading Calico Enterprise for Windows can be performed out-of-band with the Calico Enterprise upgrade of the cluster. For each Windows node, uninstall the Calico Enterprise for Windows services, copy over the latest Calico Enterprise for Windows installation archive, then proceed with the installation.

Multi-cluster management

For Calico Enterprise v3.5 and v3.7, upgrading multi-cluster management setups must include updating all managed and management clusters.

note

These steps differ based on your cluster type. If you are unsure of your cluster type, look at the field clusterManagementType when you run kubectl get installation -o yaml before you proceed.

Upgrade Calico Enterprise

Kubernetes

1. Download the new manifests for Tigera operator.

   curl -L -O https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-operator.yaml

2. Download the new manifests for Prometheus operator.

   note

   If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.

   curl -L -O https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-prometheus-operator.yaml

3. If you previously installed using a private registry, you will need to push the new images and then update the manifest downloaded in the previous step.

4. Apply the manifest for Tigera operator.

   kubectl apply --server-side --force-conflicts -f tigera-operator.yaml
   note

   If you intend to update any operator.tigera.io or projectcalico.org resources to utilize new fields available in the update you must make sure you make those changes after applying the tigera-operator.yaml.

5. If you downloaded the manifests for Prometheus operator from the earlier step, then apply them now.

   kubectl apply --server-side --force-conflicts -f tigera-prometheus-operator.yaml

6. If your cluster has OIDC login configured, follow these steps:

   a. Save a copy of your Manager for reference.

   kubectl get manager tigera-secure -o yaml > manager.yaml

   b. Remove the deprecated fields from your Manager resource.

   kubectl patch manager tigera-secure --type merge -p '{"spec": null}'

   c. If you are currently using v3.2 and are using OIDC with Kibana verify that you have the following resources in your cluster:

   kubectl get authentication tigera-secure
   kubectl get secret tigera-oidc-credentials -n tigera-operator

   If both of these resources are present, you can continue with the next step. Otherwise, use the instructions to configure an identity provider to configure OIDC.

   d. Follow configure an identity provider.

7. If your cluster is a management cluster using v3.1 or older, apply a ManagementCluster CR to your cluster.

   kubectl apply -f - <<EOF
   apiVersion: operator.tigera.io/v1
   kind: ManagementCluster
   metadata:
     name: tigera-secure
   EOF

8. If your cluster is v3.7 or older, apply a new Monitor CR to your cluster.

   kubectl apply -f - <<EOF
   apiVersion: operator.tigera.io/v1
   kind: Monitor
   metadata:
     name: tigera-secure
   EOF

9. If your cluster is v3.16 or older, apply a new PolicyRecommendation CR to your cluster.

   kubectl apply -f - <<EOF
   apiVersion: operator.tigera.io/v1
   kind: PolicyRecommendation
   metadata:
     name: tigera-secure
   EOF

10. You can monitor progress with the following command:

    watch kubectl get tigerastatus
    note

    If there are any problems you can use kubectl get tigerastatus -o yaml to get more details.

11. If your cluster includes egress gateways, follow the egress gateway upgrade instructions.

AKS

note

If Calico Enterprise was installed directly onto the AKS cluster, follow the upgrade instructions in the Kubernetes tab.

These AKS upgrade instructions apply only to AKS clusters which were upgraded to Calico Enterprise from Calico. Check whether the cluster was upgraded from Calico by checking the namespace for the active operator:

kubectl get configmap -n calico-system active-operator -oyaml | grep active-namespace

If the active-namespace is tigera-operator-enterprise, then the cluster was upgraded from Calico.

1. Download the new manifests for Tigera operator.

   curl -L -o tigera-operator.yaml https://downloads.tigera.io/ee/v3.18.3/manifests/aks/tigera-operator-upgrade.yaml

2. Download the new manifests for Prometheus operator.

   note

   If you have an existing Prometheus operator in your cluster that you want to use, skip this step. To work with Calico Enterprise, your Prometheus operator must be v0.40.0 or higher.

   curl -L -O https://downloads.tigera.io/ee/v3.18.3/manifests/tigera-prometheus-operator.yaml

3. If you previously installed using a private registry, you will need to push the new images and then update the manifest downloaded in the previous step.

4. Apply the manifest for Tigera operator.

   kubectl apply --server-side --force-conflicts -f tigera-operator.yaml
   note

   If you intend to update any operator.tigera.io or projectcalico.org resources to utilize new fields available in the update you must make sure you make those changes after applying the tigera-operator.yaml.

5. If you downloaded the manifests for Prometheus operator from the earlier step, then apply them now.

   kubectl apply --server-side --force-conflicts -f tigera-prometheus-operator.yaml

6. If your cluster has OIDC login configured, follow these steps:

   a. Save a copy of your Manager for reference.

   kubectl get manager tigera-secure -o yaml > manager.yaml

   b. Remove the deprecated fields from your Manager resource.

   kubectl patch manager tigera-secure --type merge -p '{"spec": null}'

   c. If you are currently using v3.2 and are using OIDC with Kibana verify that you have the following resources in your cluster:

   kubectl get authentication tigera-secure
   kubectl get secret tigera-oidc-credentials -n tigera-operator

   If both of these resources are present, you can continue with the next step. Otherwise, use the instructions to configure an identity provider to configure OIDC.

   d. Follow configure an identity provider.

7. If your cluster is a management cluster using v3.1 or older, apply a ManagementCluster CR to your cluster.

   kubectl apply -f - <<EOF
   apiVersion: operator.tigera.io/v1
   kind: ManagementCluster
   metadata:
     name: tigera-secure
   EOF

8. If your cluster is v3.7 or older, apply a new Monitor CR to your cluster.

   kubectl apply -f - <<EOF
   apiVersion: operator.tigera.io/v1
   kind: Monitor
   metadata:
     name: tigera-secure
   EOF

9. If your cluster is v3.16 or older, apply a new PolicyRecommendation CR to your cluster.

   kubectl apply -f - <<EOF
   apiVersion: operator.tigera.io/v1
   kind: PolicyRecommendation
   metadata:
     name: tigera-secure
   EOF

10. You can monitor progress with the following command:

    watch kubectl get tigerastatus
    note

    If there are any problems you can use kubectl get tigerastatus -o yaml to get more details.

11. If your cluster includes egress gateways, follow the egress gateway upgrade instructions.