Installation reference

16 MINUTE READ
The Kubernetes resources below configure Calico installation when using the operator (currently, only on Openshift). Each resource is responsible for installing and configuring a different subsystem of Calico during installation. Most options can be modified on a running cluster using `kubectl`.

Packages:

operator.tigera.io/v1

API Schema definitions for configuring the installation of Calico and Calico Enterprise

Resource Types:

ImageSet

ImageSet is used to specify image digests for the images that the operator deploys. The name of the ImageSet is expected to be in the format <variang>-<release>. The variant used is enterprise if the InstallationSpec Variant is TigeraSecureEnterprise otherwise it is calico. The release must match the version of the variant that the operator is built to deploy, this version can be obtained by passing the --version flag to the operator binary.

Field Description
apiVersion
string
operator.tigera.io/v1
kind
string
ImageSet
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ImageSetSpec


images
[]Image

Images is the list of images to use digests. All images that the operator will deploy must be specified.

Installation

Installation configures an installation of Calico or Calico Enterprise. At most one instance of this resource is supported. It must be named “default”. The Installation API installs core networking and network policy components, and provides general install-time configuration.

Field Description
apiVersion
string
operator.tigera.io/v1
kind
string
Installation
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
InstallationSpec

Specification of the desired state for the Calico or Calico Enterprise installation.



variant
ProductVariant
(Optional)

Variant is the product to install - one of Calico or TigeraSecureEnterprise Default: Calico

registry
string
(Optional)

Registry is the default Docker registry used for component Docker images. If specified, all images will be pulled from this registry. If not specified then the default registries will be used. A special case value, UseDefault, is supported to explicitly specify the default registries will be used.

Image format: <registry>/<imagePath>/<imageName>:<image-tag>

This option allows configuring the <registry> portion of the above format.

imagePath
string
(Optional)

ImagePath allows for the path part of an image to be specified. If specified then the specified value will be used as the image path for each image. If not specified or empty, the default for each image will be used. A special case value, UseDefault, is supported to explicitly specify the default image path will be used for each image.

Image format: <registry>/<imagePath>/<imageName>:<image-tag>

This option allows configuring the <imagePath> portion of the above format.

imagePullSecrets
[]Kubernetes core/v1.LocalObjectReference
(Optional)

ImagePullSecrets is an array of references to container registry pull secrets to use. These are applied to all images to be pulled.

kubernetesProvider
Provider
(Optional)

KubernetesProvider specifies a particular provider of the Kubernetes platform and enables provider-specific configuration. If the specified value is empty, the Operator will attempt to automatically determine the current provider. If the specified value is not empty, the Operator will still attempt auto-detection, but will additionally compare the auto-detected value to the specified value to confirm they match.

cni
CNISpec
(Optional)

CNI specifies the CNI that will be used by this installation.

calicoNetwork
CalicoNetworkSpec
(Optional)

CalicoNetwork specifies networking configuration options for Calico.

typhaAffinity
TyphaAffinity
(Optional)

TyphaAffinity allows configuration of node affinity characteristics for Typha pods.

controlPlaneNodeSelector
map[string]string
(Optional)

ControlPlaneNodeSelector is used to select control plane nodes on which to run Calico components. This is globally applied to all resources created by the operator excluding daemonsets.

controlPlaneTolerations
[]Kubernetes core/v1.Toleration
(Optional)

ControlPlaneTolerations specify tolerations which are then globally applied to all resources created by the operator.

nodeMetricsPort
int32
(Optional)

NodeMetricsPort specifies which port calico/node serves prometheus metrics on. By default, metrics are not enabled. If specified, this overrides any FelixConfiguration resources which may exist. If omitted, then prometheus metrics may still be configured through FelixConfiguration.

typhaMetricsPort
int32
(Optional)

TyphaMetricsPort specifies which port calico/typha serves prometheus metrics on. By default, metrics are not enabled.

flexVolumePath
string
(Optional)

FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be enabled by default. If set to ‘None’, FlexVolume will be disabled. The default is based on the kubernetesProvider.

nodeUpdateStrategy
Kubernetes apps/v1.DaemonSetUpdateStrategy
(Optional)

NodeUpdateStrategy can be used to customize the desired update strategy, such as the MaxUnavailable field.

componentResources
[]ComponentResource
(Optional)

ComponentResources can be used to customize the resource requirements for each component. Node, Typha, and KubeControllers are supported for installations.

certificateManagement
CertificateManagement
(Optional)

CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise pods will be stuck during initialization.

status
InstallationStatus

Most recently observed state for the Calico or Calico Enterprise installation.

TigeraStatus

TigeraStatus represents the most recently observed status for Calico or a Calico Enterprise functional area.

Field Description
apiVersion
string
operator.tigera.io/v1
kind
string
TigeraStatus
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
TigeraStatusSpec


status
TigeraStatusStatus

BGPOption (string alias)

(Appears on: CalicoNetworkSpec)

BGPOption describes the mode of BGP to use.

One of: Enabled, Disabled

CNIPluginType (string alias)

(Appears on: CNISpec)

CNIPluginType describes the type of CNI plugin used.

One of: Calico, GKE, AmazonVPC, AzureVNET

CNISpec

(Appears on: InstallationSpec)

CNISpec contains configuration for the CNI plugin.

Field Description
type
CNIPluginType

Specifies the CNI plugin that will be used in the Calico or Calico Enterprise installation. * For KubernetesProvider GKE, this field defaults to GKE. * For KubernetesProvider AKS, this field defaults to AzureVNET. * For KubernetesProvider EKS, this field defaults to AmazonVPC. * If aws-node daemonset exists in kube-system when the Installation resource is created, this field defaults to AmazonVPC. * For all other cases this field defaults to Calico.

For the value Calico, the CNI plugin binaries and CNI config will be installed as part of deployment, for all other values the CNI plugin binaries and CNI config is a dependency that is expected to be installed separately.

Default: Calico

ipam
IPAMSpec
(Optional)

IPAM specifies the pod IP address management that will be used in the Calico or Calico Enterprise installation.

CalicoNetworkSpec

(Appears on: InstallationSpec)

CalicoNetworkSpec specifies configuration options for Calico provided pod networking.

Field Description
linuxDataplane
LinuxDataplaneOption
(Optional)

LinuxDataplane is used to select the dataplane used for Linux nodes. In particular, it causes the operator to add required mounts and environment variables for the particular dataplane. If not specified, iptables mode is used.

bgp
BGPOption
(Optional)

BGP configures whether or not to enable Calico’s BGP capabilities.

ipPools
[]IPPool
(Optional)

IPPools contains a list of IP pools to create if none exist. At most one IP pool of each address family may be specified. If omitted, a single pool will be configured if needed.

mtu
int32
(Optional)

MTU specifies the maximum transmission unit to use on the pod network. If not specified, Calico will perform MTU auto-detection based on the cluster network.

nodeAddressAutodetectionV4
NodeAddressAutodetection
(Optional)

NodeAddressAutodetectionV4 specifies an approach to automatically detect node IPv4 addresses. If not specified, will use default auto-detection settings to acquire an IPv4 address for each node.

nodeAddressAutodetectionV6
NodeAddressAutodetection
(Optional)

NodeAddressAutodetectionV6 specifies an approach to automatically detect node IPv6 addresses. If not specified, IPv6 addresses will not be auto-detected.

hostPorts
HostPortsType
(Optional)

HostPorts configures whether or not Calico will support Kubernetes HostPorts. Valid only when using the Calico CNI plugin. Default: Enabled

multiInterfaceMode
MultiInterfaceMode
(Optional)

MultiInterfaceMode configures what will configure multiple interface per pod. Only valid for Calico Enterprise installations using the Calico CNI plugin. Default: None

containerIPForwarding
ContainerIPForwardingType
(Optional)

ContainerIPForwarding configures whether ip forwarding will be enabled for containers in the CNI configuration. Default: Disabled

CertificateManagement

(Appears on: InstallationSpec)

CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise pods will be stuck during initialization.

Field Description
caCert
[]byte

Certificate of the authority that signs the CertificateSigningRequests in PEM format.

signerName
string

When a CSR is issued to the certificates.k8s.io API, the signerName is added to the request in order to accommodate for clusters with multiple signers. Must be formatted as: <my-domain>/<my-signername>.

keyAlgorithm
string
(Optional)

Specify the algorithm used by pods to generate a key pair that is associated with the X.509 certificate request. Default: RSAWithSize2048

signatureAlgorithm
string
(Optional)

Specify the algorithm used for the signature of the X.509 certificate request. Default: SHA256WithRSA

ComponentName (string alias)

(Appears on: ComponentResource)

ComponentName represents a single component.

One of: Node, Typha, KubeControllers

ComponentResource

(Appears on: InstallationSpec)

The ComponentResource struct associates a ResourceRequirements with a component by name

Field Description
componentName
ComponentName

ComponentName is an enum which identifies the component

resourceRequirements
Kubernetes core/v1.ResourceRequirements

ResourceRequirements allows customization of limits and requests for compute resources such as cpu and memory.

ConditionStatus (string alias)

(Appears on: TigeraStatusCondition)

ConditionStatus represents the status of a particular condition. A condition may be one of: True, False, Unknown.

ContainerIPForwardingType (string alias)

(Appears on: CalicoNetworkSpec)

ContainerIPForwardingType specifies whether the CNI config for container ip forwarding is enabled.

EncapsulationType (string alias)

(Appears on: IPPool)

EncapsulationType is the type of encapsulation to use on an IP pool.

One of: IPIP, VXLAN, IPIPCrossSubnet, VXLANCrossSubnet, None

HostPortsType (string alias)

(Appears on: CalicoNetworkSpec)

HostPortsType specifies host port support.

One of: Enabled, Disabled

IPAMPluginType (string alias)

(Appears on: IPAMSpec)

IPAMSpec

(Appears on: CNISpec)

IPAMSpec contains configuration for pod IP address management.

Field Description
type
IPAMPluginType

Specifies the IPAM plugin that will be used in the Calico or Calico Enterprise installation. * For CNI Plugin Calico, this field defaults to Calico. * For CNI Plugin GKE, this field defaults to HostLocal. * For CNI Plugin AzureVNET, this field defaults to AzureVNET. * For CNI Plugin AmazonVPC, this field defaults to AmazonVPC.

The IPAM plugin is installed and configured only if the CNI plugin is set to Calico, for all other values of the CNI plugin the plugin binaries and CNI config is a dependency that is expected to be installed separately.

Default: Calico

IPPool

(Appears on: CalicoNetworkSpec)

Field Description
cidr
string

CIDR contains the address range for the IP Pool in classless inter-domain routing format.

encapsulation
EncapsulationType
(Optional)

Encapsulation specifies the encapsulation type that will be used with the IP Pool. Default: IPIP

natOutgoing
NATOutgoingType
(Optional)

NATOutgoing specifies if NAT will be enabled or disabled for outgoing traffic. Default: Enabled

nodeSelector
string
(Optional)

NodeSelector specifies the node selector that will be set for the IP Pool. Default: ‘all()’

blockSize
int32
(Optional)

BlockSize specifies the CIDR prefex length to use when allocating per-node IP blocks from the main IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)

Image

(Appears on: ImageSetSpec)

Field Description
image
string

Image is an image that the operator deploys and instead of using the built in tag the operator will use the Digest for the image identifier. The value should be the image name without registry or tag or digest. For the image docker.io/calico/node:v3.17.1 it should be represented as calico/node

digest
string

Digest is the image identifier that will be used for the Image. The field should not include a leading @ and must be prefixed with sha256:.

ImageSetSpec

(Appears on: ImageSet)

ImageSetSpec defines the desired state of ImageSet.

Field Description
images
[]Image

Images is the list of images to use digests. All images that the operator will deploy must be specified.

InstallationSpec

(Appears on: Installation, InstallationStatus)

InstallationSpec defines configuration for a Calico or Calico Enterprise installation.

Field Description
variant
ProductVariant
(Optional)

Variant is the product to install - one of Calico or TigeraSecureEnterprise Default: Calico

registry
string
(Optional)

Registry is the default Docker registry used for component Docker images. If specified, all images will be pulled from this registry. If not specified then the default registries will be used. A special case value, UseDefault, is supported to explicitly specify the default registries will be used.

Image format: <registry>/<imagePath>/<imageName>:<image-tag>

This option allows configuring the <registry> portion of the above format.

imagePath
string
(Optional)

ImagePath allows for the path part of an image to be specified. If specified then the specified value will be used as the image path for each image. If not specified or empty, the default for each image will be used. A special case value, UseDefault, is supported to explicitly specify the default image path will be used for each image.

Image format: <registry>/<imagePath>/<imageName>:<image-tag>

This option allows configuring the <imagePath> portion of the above format.

imagePullSecrets
[]Kubernetes core/v1.LocalObjectReference
(Optional)

ImagePullSecrets is an array of references to container registry pull secrets to use. These are applied to all images to be pulled.

kubernetesProvider
Provider
(Optional)

KubernetesProvider specifies a particular provider of the Kubernetes platform and enables provider-specific configuration. If the specified value is empty, the Operator will attempt to automatically determine the current provider. If the specified value is not empty, the Operator will still attempt auto-detection, but will additionally compare the auto-detected value to the specified value to confirm they match.

cni
CNISpec
(Optional)

CNI specifies the CNI that will be used by this installation.

calicoNetwork
CalicoNetworkSpec
(Optional)

CalicoNetwork specifies networking configuration options for Calico.

typhaAffinity
TyphaAffinity
(Optional)

TyphaAffinity allows configuration of node affinity characteristics for Typha pods.

controlPlaneNodeSelector
map[string]string
(Optional)

ControlPlaneNodeSelector is used to select control plane nodes on which to run Calico components. This is globally applied to all resources created by the operator excluding daemonsets.

controlPlaneTolerations
[]Kubernetes core/v1.Toleration
(Optional)

ControlPlaneTolerations specify tolerations which are then globally applied to all resources created by the operator.

nodeMetricsPort
int32
(Optional)

NodeMetricsPort specifies which port calico/node serves prometheus metrics on. By default, metrics are not enabled. If specified, this overrides any FelixConfiguration resources which may exist. If omitted, then prometheus metrics may still be configured through FelixConfiguration.

typhaMetricsPort
int32
(Optional)

TyphaMetricsPort specifies which port calico/typha serves prometheus metrics on. By default, metrics are not enabled.

flexVolumePath
string
(Optional)

FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be enabled by default. If set to ‘None’, FlexVolume will be disabled. The default is based on the kubernetesProvider.

nodeUpdateStrategy
Kubernetes apps/v1.DaemonSetUpdateStrategy
(Optional)

NodeUpdateStrategy can be used to customize the desired update strategy, such as the MaxUnavailable field.

componentResources
[]ComponentResource
(Optional)

ComponentResources can be used to customize the resource requirements for each component. Node, Typha, and KubeControllers are supported for installations.

certificateManagement
CertificateManagement
(Optional)

CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise pods will be stuck during initialization.

InstallationStatus

(Appears on: Installation)

InstallationStatus defines the observed state of the Calico or Calico Enterprise installation.

Field Description
variant
ProductVariant

Variant is the most recently observed installed variant - one of Calico or TigeraSecureEnterprise

mtu
int32

MTU is the most recently observed value for pod network MTU. This may be an explicitly configured value, or based on Calico’s native auto-detetion.

imageSet
string
(Optional)

ImageSet is the name of the ImageSet being used, if there is an ImageSet that is being used. If an ImageSet is not being used then this will not be set.

computed
InstallationSpec
(Optional)

Computed is the final installation including overlaid resources.

LinuxDataplaneOption (string alias)

(Appears on: CalicoNetworkSpec)

MultiInterfaceMode (string alias)

(Appears on: CalicoNetworkSpec)

MultiInterfaceMode describes the method of providing multiple pod interfaces.

One of: None, Multus

NATOutgoingType (string alias)

(Appears on: IPPool)

NATOutgoingType describe the type of outgoing NAT to use.

One of: Enabled, Disabled

NodeAddressAutodetection

(Appears on: CalicoNetworkSpec)

NodeAddressAutodetection provides configuration options for auto-detecting node addresses. At most one option can be used. If no detection option is specified, then IP auto detection will be disabled for this address family and IPs must be specified directly on the Node resource.

Field Description
firstFound
bool
(Optional)

FirstFound uses default interface matching parameters to select an interface, performing best-effort filtering based on well-known interface names.

interface
string
(Optional)

Interface enables IP auto-detection based on interfaces that match the given regex.

skipInterface
string
(Optional)

SkipInterface enables IP auto-detection based on interfaces that do not match the given regex.

canReach
string
(Optional)

CanReach enables IP auto-detection based on which source address on the node is used to reach the specified IP or domain.

cidrs
[]string

CIDRS enables IP auto-detection based on which addresses on the nodes are within one of the provided CIDRs.

PreferredNodeAffinity

(Appears on: TyphaAffinity)

PreferredNodeAffinity is similar to an affinity except it only exposes the Preferred scheduling option, which ensures a pod will still be scheduled even when all the nodes it matches are unschedulable.

Field Description
preferredDuringSchedulingIgnoredDuringExecution
[]Kubernetes core/v1.PreferredSchedulingTerm
(Optional)

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions.

ProductVariant (string alias)

(Appears on: InstallationSpec, InstallationStatus)

ProductVariant represents the variant of the product.

One of: Calico, TigeraSecureEnterprise

PromptType (string alias)

PromptType is a value that specifies whether the identity provider prompts the end user for re-authentication and consent. One of: None, Login, Consent, SelectAccount.

Provider (string alias)

(Appears on: InstallationSpec)

Provider represents a particular provider or flavor of Kubernetes. Valid options are: EKS, GKE, AKS, OpenShift, DockerEnterprise.

StatusConditionType (string alias)

(Appears on: TigeraStatusCondition)

StatusConditionType is a type of condition that may apply to a particular component.

TigeraStatusCondition

(Appears on: TigeraStatusStatus)

TigeraStatusCondition represents a condition attached to a particular component.

Field Description
type
StatusConditionType

The type of condition. May be Available, Progressing, or Degraded.

status
ConditionStatus

The status of the condition. May be True, False, or Unknown.

lastTransitionTime
Kubernetes meta/v1.Time

The timestamp representing the start time for the current status.

reason
string

A brief reason explaining the condition.

message
string

Optionally, a detailed message providing additional context.

TigeraStatusSpec

(Appears on: TigeraStatus)

TigeraStatusSpec defines the desired state of TigeraStatus

TigeraStatusStatus

(Appears on: TigeraStatus)

TigeraStatusStatus defines the observed state of TigeraStatus

Field Description
conditions
[]TigeraStatusCondition

Conditions represents the latest observed set of conditions for this component. A component may be one or more of Available, Progressing, or Degraded.

TyphaAffinity

(Appears on: InstallationSpec)

TyphaAffinity allows configuration of node affinitiy characteristics for Typha pods.

Field Description
nodeAffinity
PreferredNodeAffinity
(Optional)

NodeAffinity describes node affinity scheduling rules for typha.