Create a Calico Enterprise managed cluster

Big picture

Create a Calico Enterprise managed cluster that you can control from your management cluster using Helm 3.

Value

Helm charts are a way to package up an application for Kubernetes (similar to apt or yum for operating systems). Helm is also used by tools like ArgoCD to manage applications in a cluster, taking care of install, upgrade (and rollback if needed), etc.

Before you begin

Required

• Install Helm 3
• kubeconfig is configured to work with your cluster (check by running kubectl get nodes)
• Credentials for the Tigera private registry and a license key

Concepts

Operator-based installation

In this guide, you install the Tigera Calico operator and custom resource definitions using the Helm 3 chart. The Tigera operator provides lifecycle management for Calico Enterprise exposed via the Kubernetes API defined as a custom resource definition.

How to

Download the Helm chart

curl -O -L https://downloads.tigera.io/ee/charts/tigera-operator-v3.18.3-0.tgz

Customize the Helm chart

If you are installing on a cluster installed by EKS, GKE, AKS or Mirantis Kubernetes Engine (MKE), or you need to customize TLS certificates, you must customize this Helm chart by creating a values.yaml file. Otherwise, you can skip this step.

1. If you are installing on a cluster installed by EKS, GKE, AKS or Mirantis Kubernetes Engine (MKE), set the kubernetesProvider as described in the Installation reference. For example:

   echo 'installation: { kubernetesProvider: EKS }' > values.yaml

   For Azure AKS cluster with no Kubernetes CNI pre-installed, create values.yaml with the following command:

   cat > values.yaml <<EOF
   installation:
     kubernetesProvider: AKS
     cni:
       type: Calico
     calicoNetwork:
       bgp: Disabled
       ipPools:
       - cidr: 10.244.0.0/16
         encapsulation: VXLAN
   EOF

2. Add any other customizations you require to values.yaml. To see values that can be customized in the chart run the following command:

   helm show values ./tigera-operator-v3.18.3-0.tgz

Install Calico Enterprise

To install a Calico Enterprise managed cluster with Helm:

1. Export the service port number, and the public IP or host of the management cluster. (Ex. "example.com:1234" or "10.0.0.10:1234".)

   export MANAGEMENT_CLUSTER_ADDR=<your-management-cluster-addr>

2. Export the management cluster certificate and managed cluster certificate and key.

   If you haven't already done so, generate the base64 encoded CRT and KEY for this managed cluster:

   openssl genrsa 2048 | base64 -w 0 > my-managed-cluster.key.base64
   openssl req -new -key <(base64 -d my-managed-cluster.key.base64) -subj "/CN=my-managed-cluster" | \
   openssl x509 -req -signkey <(base64 -d my-managed-cluster.key.base64) -days 365 | base64 -w 0 > my-managed-cluster.crt.base64

   Get the MANAGEMENT_CLUSTER_CRT by running the following command on the management cluster:

   kubectl get secret -n tigera-operator $(kubectl get managementcluster tigera-secure -o jsonpath='{.spec.tls.secretName}') -o jsonpath='{.data.tls\.crt}' > management-cluster.crt.base64

   Export the managed cluster variables:

   export MANAGEMENT_CLUSTER_CRT=$(cat management-cluster.crt.base64)
   export MANAGED_CLUSTER_CRT=$(cat my-managed-cluster.crt.base64)
   export MANAGED_CLUSTER_KEY=$(cat my-managed-cluster.key.base64)

3. Append the management cluster context to your values.yaml:

   echo "
   managementClusterConnection:
     enabled: true
     managementClusterAddress: $MANAGEMENT_CLUSTER_ADDR
     management:
       tls:
         crt: $MANAGEMENT_CLUSTER_CRT
     managed:
       tls:
         crt: $MANAGED_CLUSTER_CRT
         key: $MANAGED_CLUSTER_KEY" >> values.yaml

4. Install the Tigera Calico Enterprise operator and custom resource definitions using the Helm 3 chart:

   helm install calico-enterprise tigera-operator-v3.18.3-0.tgz -f values.yaml \
   --set-file imagePullSecrets.tigera-pull-secret=<path/to/pull/secret>,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret=<path/to/pull/secret> \
   --set-file licenseKeyContent=<path/to/license/file/yaml> \
   --set logStorage.enabled=false --set manager.enabled=false \
   --namespace tigera-operator --create-namespace

5. You can now monitor progress with the following command:

   watch kubectl get tigerastatus

Provide permissions to view the managed cluster

To access resources belonging to a managed cluster from the Calico Enterprise Manager UI, the service or user account used to log in must have appropriate permissions defined in the managed cluster.

Define admin-level permissions for the service account mcm-user we created to log in to the Manager UI. Run the following command against your managed cluster.

kubectl create clusterrolebinding mcm-user-admin --clusterrole=tigera-network-admin --serviceaccount=default:mcm-user

Congratulations! You have now installed Calico Enterprise for a managed cluster using the Helm 3 chart.

Next steps

Recommended

• Configure access to Calico Enterprise Manager UI
• Authentication quickstart
• Configure your own identity provider

Recommended - Networking

• The default networking is IP in IP encapsulation using BGP routing. For all networking options, see Determine best networking option.

Recommended - Security

• Get started with Calico Enterprise tiered network policy