Skip to main content
Version: main

Installing Weave GitOps EnterpriseEnterprise


To purchase an entitlement to Weave GitOps Enterprise, please contact

For more information about Weave GitOps Enterprise Edition, see the Enterprise feature page.

Follow the instructions on this page to:


There is no need to install Weave GitOps (OSS) before installing Weave GitOps Enterprise.

Prep Step: Create a Repository

Create a new private GitHub repository and give it a name. We'll call our repo fleet-infra.

Set up a Git client for your private repo. For GitHub, see their docs on setting your username and setting your email address.

1. Set up a Management Cluster with flux

These steps reflect Flux’s architecture and operations.

To get you started, we'll cover:

  • kind as our management cluster with the CAPD provider
  • EKS as our management cluster with the CAPA provider

Note that Weave GitOps Enterprise supports any combination of management cluster and CAPI provider.

1.1 We start by creating a kind-config
kind: Cluster
- role: control-plane
- hostPath: /var/run/docker.sock
containerPath: /var/run/docker.sock

The extraMounts enable the Docker CAPI provider (CAPD) to talk to the host docker.

1.2 Start your kind cluster using the configuration above and Kubernetes v1.23.6
kind create cluster --config kind-config.yaml --image=kindest/node:v1.23.6
Install Flux onto your cluster with the flux bootstrap command
flux bootstrap github \
--owner=<github username> \
--repository=fleet-infra \
--branch=main \
--path=./clusters/management \
--components-extra image-reflector-controller,image-automation-controller

Your private GitHub repo should have a clusters/management folder that includes the manifests Flux needs to operate, and that also generates a key value pair for Flux to access the repo.

  • owner - The username (or organization) of the git repository
  • repository - Git repository name
  • branch - Git branch (default "main")
  • path - Path relative to the repository root; when specified, the cluster sync will be scoped to this path
  • personal - If set, the owner is assumed to be a repo user

Go here for more information about flux and the flux bootstrap command.

At this point your Flux management cluster should be running. Take a look at the repository you created earlier.

2. Install a CAPI provider

clusterctl versions

Download a specific version of clusterctl from the releases page. We've tested the example templates provided in this guide with clusterctl version 1.1.3. You might need to use a different version, depending on the CAPI provider you plan to use.

You must install a CAPI provider to provision Kubernetes clusters. Visit the Cluster API Providers page for more details on providers.

Here we'll continue with our example instructions for CAPD and CAPA.

# Enable support for `ClusterResourceSet`s for automatically installing CNIs

clusterctl init --infrastructure docker

3. Apply the entitlements secret

Contact for a valid entitlements secret. Then apply it to the cluster:

kubectl apply -f entitlements.yaml

4. Configure access for writing to git from the UI

GitHub requires no additional configuration for OAuth git access

5. Configure and commit

We deploy WGE via a Helm chart. We'll save and adapt the below template before committing it in Git to a Flux-reconciled path.

Clone the newly created repo locally. We're gonna add some things!

git clone git@<provider>:<username>/fleet-infra
cd fleet-infra

Download the helm-release to clusters/management/weave-gitops-enterprise.yaml.

Expand to see file contents
kind: HelmRepository
name: weave-gitops-enterprise-charts
namespace: flux-system
interval: 60m
name: weave-gitops-enterprise-credentials
kind: HelmRelease
name: weave-gitops-enterprise
namespace: flux-system
interval: 65m
chart: mccp
kind: HelmRepository
name: weave-gitops-enterprise-charts
namespace: flux-system
version: 0.22.0
crds: CreateReplace
crds: CreateReplace
interval: 50m
# -- Configure TLS settings if needed
# tls:
# -- Can be disabled if TLS is handled by a user-provided ingress controller
# enabled: true
# -- optionally specify a TLS secret
# secretName: null
# -- Can be changed depending on your git repo structure
# repositoryPath: ./clusters/management/clusters
# repositoryClustersPath: ./cluster
type: github
# -- Change if using on-prem github/gitlab
# hostname:

Once you have copied the above file, open and adjust the following configuration options:


Ensure this has been set to your repository URL.


By default, WGE will create new clusters in the clusters/management/clusters path. You can configure it with values.config.capi.repositoryPath. You might what to change it to clusters/my-cluster/cluster if you configured Flux to reconcile ./clusters/my-cluster instead.


The other important path to configure is where you'll store applications and workloads run on the new cluster. By default this is ./clusters. When a new cluster is specified, any selected profiles will be written to ./clusters/{.namespace}/{.clusterName}/profiles.yaml. When the new cluster is bootstrapped, Flux will sync the ./clusters/{.namespace}/{.clusterName} path.

(Optional) Install policy agent

Policy agent comes packaged with the WGE chart. To install it, set the following values:

  • values.policy-agent.enabled: set to true to install the agent with WGE
  • values.policy-agent.config.accountId: organization name, used as identifier
  • values.policy-agent.config.clusterId: unique identifier for the cluster

Commit and push all the files

git add clusters/management/weave-gitops-enterprise.yaml
git commit -m "Deploy Weave GitOps Enterprise"
git push

Flux will reconcile the helm-release and WGE will be deployed into the cluster. You can check the flux-system namespace to verify all pods are running.

6. Configure password

To login to the WGE UI, generate a bcrypt hash for your chosen password and store it as a secret in the Kubernetes cluster.

There are several different ways to generate a bcrypt hash. This guide uses gitops get bcrypt-hash from our CLI, which you can install with these instructions.

PASSWORD="<Make up and insert a brand-new password here. Keeping the quotes, but remove the brackets.>"
echo -n $PASSWORD | gitops get bcrypt-hash

Use the hashed output to create a Kubernetes username/password secret. Insert it in the last line of this command, replacing what’s currently shown within the quotation marks ('$2a$.......').

kubectl create secret generic cluster-user-auth \
--namespace flux-system \
--from-literal=username=wego-admin \

7. Install the CLI

Install the Weave GitOps Enterprise CLI tool. You can use brew or curl.

brew install weaveworks/tap/gitops-ee
curl --silent --location "$(uname | tr '[:upper:]' '[:lower:]')-$(uname -m).tar.gz" | tar xz -C /tmp
sudo mv /tmp/gitops /usr/local/bin
gitops version

Next steps

In our Get Started document, we will walk you through logging into the open source version of our GitOps Dashboard and deploying an application.

Then you can check out:

(Optional) Install the TF-Controller

The TF-Controller is a controller for Flux to reconcile Terraform resources in a GitOps way.

With Flux and the TF-Controller, WGE makes it easy to add Terraform templates to clusters and continuously reconcile any changes made to the Terraform source manifest.

Check out our guide on how to use Terraform templates. Then try your hands at using it with the RDS example!

Install the TF-Controller to a cluster using Helm:

# Add tf-controller helm repository
helm repo add tf-controller

# Install tf-controller
helm upgrade -i tf-controller tf-controller/tf-controller \
--namespace flux-system

Consult the TF-Controller Installation documentation for more details on which parameters are configurable and how to install a specific version.