Create a Calico Enterprise managed cluster

Big picture

Create a Calico Enterprise managed cluster that you can control from your management cluster using Helm 3.

Value

Helm charts are a way to package up an application for Kubernetes (similar to apt or yum for operating systems). Helm is also used by tools like ArgoCD to manage applications in a cluster, taking care of install, upgrade (and rollback if needed), etc.

Before you begin

Required

• Install Helm 3
• kubeconfig is configured to work with your cluster (check by running kubectl get nodes)
• Credentials for the Tigera private registry and a license key

Concepts

Operator-based installation

In this guide, you install the Tigera Calico operator and custom resource definitions using the Helm 3 chart. The Tigera operator provides lifecycle management for Calico Enterprise exposed via the Kubernetes API defined as a custom resource definition.

How to

Download the Helm chart

curl -O -L https://downloads.tigera.io/ee/charts/tigera-operator-v3.18.6-0.tgz

Customize the Helm chart

If you are installing on a cluster installed by EKS, GKE, AKS or Mirantis Kubernetes Engine (MKE), or you need to customize TLS certificates, you must customize this Helm chart by creating a values.yaml file. Otherwise, you can skip this step.

1. If you are installing on a cluster installed by EKS, GKE, AKS or Mirantis Kubernetes Engine (MKE), set the kubernetesProvider as described in the Installation reference. For example:

echo 'installation: { kubernetesProvider: EKS }' > values.yaml

For Azure AKS cluster with no Kubernetes CNI pre-installed, create values.yaml with the following command:

cat > values.yaml <<EOF
installation:
  kubernetesProvider: AKS
  cni:
    type: Calico
  calicoNetwork:
    bgp: Disabled
    ipPools:
    - cidr: 10.244.0.0/16
      encapsulation: VXLAN
EOF

1. Add any other customizations you require to values.yaml. To see values that can be customized in the chart run the following command:

helm show values ./tigera-operator-v3.18.6-0.tgz

Install Calico Enterprise

To install a Calico Enterprise managed cluster with Helm:

1. Export the service port number, and the public IP or host of the management cluster. (Ex. "example.com:1234" or "10.0.0.10:1234".)

export MANAGEMENT_CLUSTER_ADDR=<your-management-cluster-addr>

1. Export the management cluster certificate and managed cluster certificate and key.

If you haven't already done so, generate the base64 encoded CRT and KEY for this managed cluster:

openssl genrsa 2048 | base64 -w 0 > my-managed-cluster.key.base64
openssl req -new -key <(base64 -d my-managed-cluster.key.base64) -subj "/CN=my-managed-cluster" | \
openssl x509 -req -signkey <(base64 -d my-managed-cluster.key.base64) -days 365 | base64 -w 0 > my-managed-cluster.crt.base64

Get the MANAGEMENT_CLUSTER_CRT by running the following command on the management cluster:

kubectl get secret -n tigera-operator $(kubectl get managementcluster tigera-secure -o jsonpath='{.spec.tls.secretName}') -o jsonpath='{.data.tls\.crt}' > management-cluster.crt.base64

Export the managed cluster variables:

export MANAGEMENT_CLUSTER_CRT=$(cat management-cluster.crt.base64)
export MANAGED_CLUSTER_CRT=$(cat my-managed-cluster.crt.base64)
export MANAGED_CLUSTER_KEY=$(cat my-managed-cluster.key.base64)

1. Append the management cluster context to your values.yaml:

echo "
managementClusterConnection:
  enabled: true
  managementClusterAddress: $MANAGEMENT_CLUSTER_ADDR
  management:
    tls:
      crt: $MANAGEMENT_CLUSTER_CRT
  managed:
    tls:
      crt: $MANAGED_CLUSTER_CRT
      key: $MANAGED_CLUSTER_KEY" >> values.yaml

1. Install the Tigera operator and custom resource definitions using the Helm 3 chart:

helm install calico-enterprise tigera-operator-v3.18.6-0.tgz -f values.yaml \
--set-file imagePullSecrets.tigera-pull-secret=<path/to/pull/secret>,tigera-prometheus-operator.imagePullSecrets.tigera-pull-secret=<path/to/pull/secret> \
--set-file licenseKeyContent=<path/to/license/file/yaml> \
--set logStorage.enabled=false --set manager.enabled=false \
--namespace tigera-operator --create-namespace

1. You can now monitor progress with the following command:

watch kubectl get tigerastatus

Provide permissions to view the managed cluster

To access resources belonging to a managed cluster from the Calico Enterprise web console, the service or user account used to log in must have appropriate permissions defined in the managed cluster.

Define admin-level permissions for the service account mcm-user we created to log in to the web console. Run the following command against your managed cluster.

kubectl create clusterrolebinding mcm-user-admin --clusterrole=tigera-network-admin --serviceaccount=default:mcm-user

Congratulations! You have now installed Calico Enterprise for a managed cluster using the Helm 3 chart.

Next steps

Recommended

• Configure access to the Calico Enterprise web console
• Authentication quickstart
• Configure your own identity provider

Recommended - Networking

• The default networking is IP in IP encapsulation using BGP routing. For all networking options, see Determine best networking option.

Recommended - Security

• Get started with Calico Enterprise tiered network policy