Skip to main content
Calico Open Source 3.29 (latest) documentation

Install Calico on an OpenShift HCP cluster

Big picture

Install Calico on an OpenShift Hosted Control Planes (HCP) cluster.

Value

Provides steps to install Calico in OpenShift Hosted Control Planes (HCP) clusters using the HyperShift middleware, augmenting the steps in the HyperShift documentation where appropriate.

How to

Before you begin

  • Ensure that your environment meets the Calico system requirements.

  • Ensure that you have a RedHat account. A RedHat account is required to get the pull secret necessary to provision an OpenShift cluster. Note that the OpenShift installer supports a subset of AWS regions.

  • If installing on AWS, ensure that you have:

    • Configured an AWS account appropriate for OpenShift 4
    • Set up your AWS credentials
    • Generated a local SSH private key and added it to your ssh-agent
  • Install the HyperShift CLI and fulfill all the other Prerequisites from the HyperShift documentation.

Create the hosting cluster

Deploy an OpenShift cluster with Calico. This will be the hosting cluster with control-plane nodes for all hosted clusters you deploy with the steps below. Set up your KUBECONFIG environment variable to your hosting cluster's kubeconfig file:

export KUBECONFIG=/path/to/kubeconfig

Install the HyperShift operator in the hosting cluster

Follow the steps from the HyperShift documentation to Install the HyperShift Operator.

Create a hosted cluster

Create a hosted cluster with Calico by going through the following steps (slightly modified from the HyperShift docs).

  1. Create a HostedCluster and set its HostedCluster.spec.networking.networkType to Other:
note

Make sure to adjust the variables for the command below to the correct values for your cluster, credentials and environment.

HOSTED_CLUSTER_NAME=my-os-hosted-cluster
REGION=us-west-2
BASE_DOMAIN=www.example.com
AWS_CREDS="$HOME/.aws/credentials"
PULL_SECRET="$HOME/.secrets/redhat-pull-secret.txt"

hypershift create cluster aws \
--name $HOSTED_CLUSTER_NAME \
--node-pool-replicas=3 \
--base-domain $BASE_DOMAIN \
--pull-secret $PULL_SECRET \
--aws-creds $AWS_CREDS \
--region $REGION \
--generate-ssh \
--network-type Other
note

If your hosted cluster is having authorization problems with your Red Hat pull secret (unauthorized: authentication required in the HyperShift operator pod logs), make sure it is using a stable release image for the OpenShift Container Platform (OCP). You can find them in [https://amd64.ocp.releases.ci.openshift.org], for example --release-image quay.io/openshift-release-dev/ocp-release:4.16.4-x86_64

note

There is currently an issue with the HyperShift middleware that will result in the hosted cluster installation not progressing due to a missing OVNSbDb service. Patch the hosted cluster resource in order to add it:

HOSTED_CLUSTER_NAME=my-os-hosted-cluster
CLUSTER_NS="clusters"
oc patch -n ${CLUSTER_NS} hostedcluster ${HOSTED_CLUSTER_NAME} --type='json' -p '[{"op": "add", "path": "/spec/services/-", "value": {"service":"OVNSbDb","servicePublishingStrategy": {"type": "Route"}}}]'

Once the hosted cluster is up, use the hypershift CLI tool to generate the kubeconfig file:

hypershift create kubeconfig > hosted_kubeconfig && export KUBECONFIG=$(pwd)/hosted_kubeconfig

Then, copy the aws-creds secret from the hosting cluster to the hosted cluster. Run this using the hosting cluster kubeconfig to extract the secret to a yaml file:

oc get secrets --kubeconfig /path/to/hosting/kubeconfig -n kube-system aws-creds -o yaml > aws-creds.yaml

Then import it in the hosted cluster:

oc apply --kubeconfig /path/to/hosted/kubeconfig -f aws-creds.yaml
note

There is no need to specify the --kubeconfig CLI argument if the hosted cluster's kubeconfig file is configured as the KUBECONFIG environment variable in your shell.

Download the Calico install manifests

Now download and apply the Calico manifests according to the HyperShift docs.

Download the Calico manifests for OpenShift:

mkdir calico
wget -qO- https://github.com/projectcalico/calico/releases/download/v3.29.1/ocp.tgz | tar xvz --strip-components=1 -C calico

Optionally provide additional configuration

You may want to provide Calico with additional configuration at install-time. For example, BGP configuration or peers. You can use a Kubernetes ConfigMap with your desired Calico resources to set configuration as part of the installation. If you do not need to provide additional configuration, you can skip this section.

To include Calico resources during installation, edit calico/02-configmap-calico-resources.yaml to add your own configuration.

note

If you have a directory with the Calico resources, you can create the file with the command:

oc create configmap -n tigera-operator calico-resources \
--from-file=<resource-directory> --dry-run -o yaml \
calico/02-configmap-calico-resources.yaml

With recent versions of oc it is necessary to have a kubeconfig configured or add --server='127.0.0.1:443' even though it is not used.

note

If you have provided a calico-resources configmap and the tigera-operator pod fails to come up with Init:CrashLoopBackOff, check the output of the init-container with oc logs -n tigera-operator -l k8s-app=tigera-operator -c create-initial-resources.

Apply the Calico install manifests

Apply the install manifests paying attention to the required order:

cd calico/
ls *crd*.yaml | xargs -n1 oc apply -f
ls 00* | xargs -n1 oc apply -f
ls 01* | xargs -n1 oc apply -f
ls 02* | xargs -n1 oc apply -f

Once the above commands are complete, you can verify Calico is installed by verifying the components are available with the following command.

oc get tigerastatus
note

To get more information, add -o yaml to the above command.

Next steps

Recommended - Networking

  • If you are using the default BGP networking with full-mesh node-to-node peering with no encapsulation, go to Configure BGP peering to get traffic flowing between pods.
  • If you are unsure about networking options, or want to implement encapsulation (overlay networking), see Determine best networking option.

Recommended - Security