Skip to main content
Calico Enterprise 3.19 (latest) documentation

Create a Calico Enterprise management cluster

Big picture

Create a Calico Enterprise management cluster to manage multiple clusters from a single management plane using Helm 3.

Value

Helm charts are a way to package up an application for Kubernetes (similar to apt or yum for operating systems). Helm is also used by tools like ArgoCD to manage applications in a cluster, taking care of install, upgrade (and rollback if needed), etc.

Before you begin

Required

Concepts

Operator-based installation

In this guide, you install the Tigera Calico operator and custom resource definitions using the Helm 3 chart. The Tigera operator provides lifecycle management for Calico Enterprise exposed via the Kubernetes API defined as a custom resource definition.

How to

Get the Helm chart

curl -O -L https://downloads.tigera.io/ee/charts/tigera-operator-v3.19.4-0.tgz

Prepare the Installation Configuration

You must provide the desired configuration for your cluster via the values.yaml, otherwise installation will use the default settings based on the auto-detected provider. The configurations you need to provide depends on your cluster's settings and your desired state.

Some important configurations you might need to provide to the installer (via values.yaml) includes (but not limited to): kubernetesProvider, cni type, or if you need to customize TLS certificates.

Here are some examples for updating values.yaml with your configurations:

Example 1. Providing kubernetesProvider: if you are installing on a cluster installed by EKS, set the kubernetesProvider as described in the Installation reference

echo '{ installation: {kubernetesProvider: EKS }}' > values.yaml

Example 2. Providing custom settings in values.yaml for Azure AKS cluster with no Kubernetes CNI pre-installed:

cat > values.yaml <<EOF
installation:
  kubernetesProvider: AKS
  cni:
    type: Calico
  calicoNetwork:
    bgp: Disabled
    ipPools:
    - cidr: 10.244.0.0/16
      encapsulation: VXLAN
EOF

For more information about configurable options via values.yaml please see Helm installation reference.

Install Calico Enterprise

To install a Calico Enterprise management cluster with Helm, using a NodePort service:

  1. Configure a storage class for Calico Enterprise.

  2. Export the service node port number

export EXT_SERVICE_NODE_PORT=30449

Export the public address or host of the management cluster. (Ex. "example.com:1234" or "10.0.0.10:1234".)

export MANAGEMENT_CLUSTER_ADDR=<your-management-cluster-addr>:$EXT_SERVICE_NODE_PORT
  1. Export one or more managed clusters.

Generate the base64 encoded CRT and KEY for a managed cluster:

openssl genrsa 2048 | base64 -w 0 > my-managed-cluster.key.base64
openssl req -new -key <(base64 -d my-managed-cluster.key.base64) -subj "/CN=my-managed-cluster" | \
openssl x509 -req -signkey <(base64 -d my-managed-cluster.key.base64) -days 365 | base64 -w 0 > my-managed-cluster.crt.base64

Export the managed cluster variables:

export MANAGED_CLUSTER_NAME=my-managed-cluster
export MANAGED_CLUSTER_OPERATOR_NAMESPACE=tigera-operator
export MANAGED_CLUSTER_CERTIFICATE=$(cat my-managed-cluster.crt.base64)
  1. Append the management cluster context to your values.yaml:
echo "
managementCluster:
  enabled: true
  address: $MANAGEMENT_CLUSTER_ADDR
  service:
    enabled: true
    annotations:
    type: NodePort
    port: 9449
    targetPort: 9449
    protocol: TCP
    nodePort: $EXT_SERVICE_NODE_PORT

managedClusters:
  enabled: true
  clusters:
  - name: $MANAGED_CLUSTER_NAME
    operatorNamespace: $MANAGED_CLUSTER_OPERATOR_NAMESPACE
    certificate: $MANAGED_CLUSTER_CERTIFICATE" >> values.yaml
  1. Install the Tigera Calico Enterprise operator and custom resource definitions using the Helm 3 chart:
helm install calico-enterprise tigera-operator-v3.19.4-0.tgz -f values.yaml \
--set-file imagePullSecrets.tigera-pull-secret=<path/to/pull/secret>,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret=<path/to/pull/secret> \
--set-file licenseKeyContent=<path/to/license/file/yaml> \
--namespace tigera-operator --create-namespace
  1. You can now monitor progress with the following command:
watch kubectl get tigerastatus

Create an admin user and verify management cluster connection

To access resources in a managed cluster from the Calico Enterprise Manager within the management cluster, the logged-in user must have appropriate permissions defined in that managed cluster (clusterrole bindings).

Create an admin user, mcm-user, in the default namespace with full permissions, and token.

kubectl create sa mcm-user
kubectl create clusterrolebinding mcm-user-admin --clusterrole=tigera-network-admin --serviceaccount=default:mcm-user
kubectl create token mcm-user -n default

Use the generated token, to connect to the UI. In the top right banner in the UI, your management cluster is displayed as the first entry in the cluster selection drop-down menu with the fixed name, management cluster.

Congratulations! You have now installed Calico Enterprise for a management cluster using the Helm 3 chart.

Next steps

Recommended

Recommended - Networking

Recommended - Security