From 449a81b1cd4afa00e60296840eff81d4e2be7b9f Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Tue, 5 May 2026 12:42:13 -0700 Subject: [PATCH 01/18] voltron: use combined calico image --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 10 ---------- pkg/components/enterprise.go | 9 --------- pkg/controller/manager/manager_controller_test.go | 8 ++++---- pkg/render/manager.go | 3 ++- pkg/render/manager_test.go | 2 +- 6 files changed, 7 insertions(+), 28 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index 6cf7dcab49..e7fe218005 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -6,9 +6,6 @@ components: manager: image: manager version: master - voltron: - image: voltron - version: master calico: image: calico version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index eda01ab884..bd95910b75 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -226,15 +226,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with .Components.voltron }} - ComponentManagerProxy = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "packetcapture" }} ComponentPacketCapture = Component{ Version: "{{ .Version }}", @@ -472,7 +463,6 @@ var ( ComponentKibana, ComponentManager, ComponentDex, - ComponentManagerProxy, ComponentPacketCapture, ComponentPolicyRecommendation, ComponentEgressGateway, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 0ff97f0b54..c7c8d555f3 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -203,14 +203,6 @@ var ( variant: enterpriseVariant, } - ComponentManagerProxy = Component{ - Version: "master", - Image: "voltron", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentPacketCapture = Component{ Version: "master", Image: "packetcapture", @@ -422,7 +414,6 @@ var ( ComponentKibana, ComponentManager, ComponentDex, - ComponentManagerProxy, ComponentPacketCapture, ComponentPolicyRecommendation, ComponentEgressGateway, diff --git a/pkg/controller/manager/manager_controller_test.go b/pkg/controller/manager/manager_controller_test.go index 8fc5544954..3eed8a23f0 100644 --- a/pkg/controller/manager/manager_controller_test.go +++ b/pkg/controller/manager/manager_controller_test.go @@ -640,8 +640,8 @@ var _ = Describe("Manager controller tests", func() { Expect(vltrn.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentManagerProxy.Image, - components.ComponentManagerProxy.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) }) It("should use images from imageset", func() { mockStatus.On("RemoveCertificateSigningRequests", mock.Anything).Return() @@ -651,7 +651,7 @@ var _ = Describe("Manager controller tests", func() { Images: []operatorv1.Image{ {Image: "tigera/manager", Digest: "sha256:managerhash"}, {Image: "tigera/ui-apis", Digest: "sha256:uiapihash"}, - {Image: "tigera/voltron", Digest: "sha256:voltronhash"}, + {Image: "tigera/calico", Digest: "sha256:voltronhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, @@ -694,7 +694,7 @@ var _ = Describe("Manager controller tests", func() { Expect(vltrn.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentManagerProxy.Image, + components.ComponentTigeraCalico.Image, "sha256:voltronhash"))) }) }) diff --git a/pkg/render/manager.go b/pkg/render/manager.go index 543d0b2509..134a888e58 100644 --- a/pkg/render/manager.go +++ b/pkg/render/manager.go @@ -238,7 +238,7 @@ func (c *managerComponent) ResolveImages(is *operatorv1.ImageSet) error { errMsgs = append(errMsgs, err.Error()) } - c.voltronImage, err = components.GetReference(components.ComponentManagerProxy, reg, path, prefix, is) + c.voltronImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -669,6 +669,7 @@ func (c *managerComponent) voltronContainer() corev1.Container { Name: VoltronName, Image: c.voltronImage, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "voltron"}, Env: env, VolumeMounts: mounts, LivenessProbe: c.managerProxyProbe(), diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go index 92243e464d..6b3ffc8087 100644 --- a/pkg/render/manager_test.go +++ b/pkg/render/manager_test.go @@ -132,7 +132,7 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { Expect(manager.Image).Should(Equal(components.TigeraRegistry + "tigera/manager:" + components.ComponentManager.Version)) Expect(uiAPIs.Image).Should(Equal(components.TigeraRegistry + "tigera/ui-apis:" + components.ComponentUIAPIs.Version)) Expect(dashboard.Image).Should(Equal(components.TigeraRegistry + "tigera/ui-apis:" + components.ComponentUIAPIs.Version)) - Expect(voltron.Image).Should(Equal(components.TigeraRegistry + "tigera/voltron:" + components.ComponentManagerProxy.Version)) + Expect(voltron.Image).Should(Equal(components.CalicoRegistry + "calico/calico:" + components.ComponentCalico.Version)) // manager container Expect(*manager.SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) From 0ca8853bb75c71ceb9ab1737cea27f4a6ea9ec65 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Tue, 5 May 2026 13:09:39 -0700 Subject: [PATCH 02/18] linseed: use combined calico image Linseed now ships as a cobra subcommand of the combined calico binary, so render the deployment with the calico image and dispatch via "calico component linseed". Probes use the matching ready/live subcommands. --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 9 --------- pkg/components/enterprise.go | 9 --------- .../logstorage/linseed/linseed_controller_test.go | 8 ++++---- pkg/render/logstorage/linseed/linseed.go | 7 ++++--- pkg/render/logstorage/linseed/linseed_test.go | 6 ++++-- 6 files changed, 12 insertions(+), 30 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index e7fe218005..a75dcb48f5 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -24,9 +24,6 @@ components: ui-apis: image: ui-apis version: master - linseed: - image: linseed - version: master es-gateway: image: es-gateway version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index bd95910b75..578cb05337 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -145,15 +145,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "linseed" }} - ComponentLinseed = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with .Components.fluentd }} ComponentFluentd = Component{ Version: "{{ .Version }}", diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index c7c8d555f3..6390554932 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -131,14 +131,6 @@ var ( variant: enterpriseVariant, } - ComponentLinseed = Component{ - Version: "master", - Image: "linseed", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentFluentd = Component{ Version: "master", Image: "fluentd", @@ -430,7 +422,6 @@ var ( ComponentTigeraCNIWindows, ComponentElasticsearchMetrics, ComponentESGateway, - ComponentLinseed, ComponentL7AdmissionController, ComponentGatewayAPIEnvoyGateway, ComponentGatewayAPIEnvoyProxy, diff --git a/pkg/controller/logstorage/linseed/linseed_controller_test.go b/pkg/controller/logstorage/linseed/linseed_controller_test.go index 41dd333740..bc6823677c 100644 --- a/pkg/controller/logstorage/linseed/linseed_controller_test.go +++ b/pkg/controller/logstorage/linseed/linseed_controller_test.go @@ -262,7 +262,7 @@ var _ = Describe("LogStorage Linseed controller", func() { {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, {Image: "tigera/elasticsearch-metrics", Digest: "sha256:esmetricshash"}, {Image: "tigera/es-gateway", Digest: "sha256:esgatewayhash"}, - {Image: "tigera/linseed", Digest: "sha256:linseedhash"}, + {Image: "tigera/calico", Digest: "sha256:linseedhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, @@ -283,7 +283,7 @@ var _ = Describe("LogStorage Linseed controller", func() { Expect(test.GetResource(cli, &linseedDp)).To(BeNil()) linseed := test.GetContainer(linseedDp.Spec.Template.Spec.Containers, linseed.DeploymentName) Expect(linseed).ToNot(BeNil()) - Expect(linseed.Image).To(Equal(fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, components.ComponentLinseed.Image, "sha256:linseedhash"))) + Expect(linseed.Image).To(Equal(fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, components.ComponentTigeraCalico.Image, "sha256:linseedhash"))) }) }) @@ -485,7 +485,7 @@ var _ = Describe("LogStorage Linseed controller", func() { {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, {Image: "tigera/elasticsearch-metrics", Digest: "sha256:esmetricshash"}, {Image: "tigera/es-gateway", Digest: "sha256:esgatewayhash"}, - {Image: "tigera/linseed", Digest: "sha256:linseedhash"}, + {Image: "tigera/calico", Digest: "sha256:linseedhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, @@ -506,7 +506,7 @@ var _ = Describe("LogStorage Linseed controller", func() { Expect(test.GetResource(cli, &linseedDp)).To(BeNil()) linseed := test.GetContainer(linseedDp.Spec.Template.Spec.Containers, linseed.DeploymentName) Expect(linseed).ToNot(BeNil()) - Expect(linseed.Image).To(Equal(fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, components.ComponentLinseed.Image, "sha256:linseedhash"))) + Expect(linseed.Image).To(Equal(fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, components.ComponentTigeraCalico.Image, "sha256:linseedhash"))) }) Context("External ES mode", func() { diff --git a/pkg/render/logstorage/linseed/linseed.go b/pkg/render/logstorage/linseed/linseed.go index 8ada1a33da..9ab6cae0ef 100644 --- a/pkg/render/logstorage/linseed/linseed.go +++ b/pkg/render/logstorage/linseed/linseed.go @@ -137,7 +137,7 @@ func (l *linseed) ResolveImages(is *operatorv1.ImageSet) error { errMsgs := []string{} // Calculate the image(s) to use for Linseed, given user registry configuration. - l.linseedImage, err = components.GetReference(components.ComponentLinseed, reg, path, prefix, is) + l.linseedImage, err = components.GetReference(components.CombinedCalicoImage(l.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -461,13 +461,14 @@ func (l *linseed) linseedDeployment() *appsv1.Deployment { Name: DeploymentName, Image: l.linseedImage, ImagePullPolicy: render.ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "linseed"}, Env: envVars, VolumeMounts: volumeMounts, SecurityContext: sc, ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ Exec: &corev1.ExecAction{ - Command: []string{"/linseed", "-ready"}, + Command: []string{components.CalicoBinaryPath, "component", "linseed", "ready"}, }, }, InitialDelaySeconds: 10, @@ -475,7 +476,7 @@ func (l *linseed) linseedDeployment() *appsv1.Deployment { LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ Exec: &corev1.ExecAction{ - Command: []string{"/linseed", "-live"}, + Command: []string{components.CalicoBinaryPath, "component", "linseed", "live"}, }, }, InitialDelaySeconds: 10, diff --git a/pkg/render/logstorage/linseed/linseed_test.go b/pkg/render/logstorage/linseed/linseed_test.go index c0dae08570..bae479e483 100644 --- a/pkg/render/logstorage/linseed/linseed_test.go +++ b/pkg/render/logstorage/linseed/linseed_test.go @@ -38,6 +38,7 @@ import ( operatorv1 "github.com/tigera/operator/api/v1" "github.com/tigera/operator/pkg/apis" "github.com/tigera/operator/pkg/common" + "github.com/tigera/operator/pkg/components" "github.com/tigera/operator/pkg/controller/certificatemanager" ctrlrfake "github.com/tigera/operator/pkg/ctrlruntime/client/fake" "github.com/tigera/operator/pkg/dns" @@ -1030,6 +1031,7 @@ func expectedContainers() []corev1.Container { { Name: DeploymentName, ImagePullPolicy: render.ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "linseed"}, SecurityContext: &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, AllowPrivilegeEscalation: ptr.To(false), @@ -1042,7 +1044,7 @@ func expectedContainers() []corev1.Container { ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ Exec: &corev1.ExecAction{ - Command: []string{"/linseed", "-ready"}, + Command: []string{components.CalicoBinaryPath, "component", "linseed", "ready"}, }, }, InitialDelaySeconds: 10, @@ -1050,7 +1052,7 @@ func expectedContainers() []corev1.Container { LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ Exec: &corev1.ExecAction{ - Command: []string{"/linseed", "-live"}, + Command: []string{components.CalicoBinaryPath, "component", "linseed", "live"}, }, }, InitialDelaySeconds: 10, From c8a7417041faee31de3541173afd2fb4715d99eb Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Tue, 5 May 2026 13:22:05 -0700 Subject: [PATCH 03/18] prometheus-service: use combined calico image Render the tigera-prometheus authn-proxy container with the calico image and dispatch via "calico component prometheus-service". --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 9 --------- pkg/components/enterprise.go | 9 --------- pkg/render/monitor/monitor.go | 3 ++- 4 files changed, 2 insertions(+), 22 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index a75dcb48f5..4611acbe23 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -98,9 +98,6 @@ components: alertmanager: image: alertmanager version: master - tigera-prometheus-service: - image: prometheus-service - version: master deep-packet-inspection: image: deep-packet-inspection version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index 578cb05337..f8f4718736 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -312,15 +312,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "tigera-prometheus-service" }} - ComponentTigeraPrometheusService = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "coreos-alertmanager" }} ComponentCoreOSAlertmanager = Component{ Version: "{{ .Version }}", diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 6390554932..8f80055e29 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -279,14 +279,6 @@ var ( variant: enterpriseVariant, } - ComponentTigeraPrometheusService = Component{ - Version: "master", - Image: "prometheus-service", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentCoreOSAlertmanager = Component{ Version: "v0.30.1", variant: enterpriseVariant, @@ -415,7 +407,6 @@ var ( ComponentDikastes, ComponentQueryServer, ComponentPrometheus, - ComponentTigeraPrometheusService, ComponentPrometheusAlertmanager, ComponentTigeraNode, ComponentTigeraNodeWindows, diff --git a/pkg/render/monitor/monitor.go b/pkg/render/monitor/monitor.go index b101f2d223..f966046b0f 100644 --- a/pkg/render/monitor/monitor.go +++ b/pkg/render/monitor/monitor.go @@ -200,7 +200,7 @@ func (mc *monitorComponent) ResolveImages(is *operatorv1.ImageSet) error { errMsgs = append(errMsgs, err.Error()) } - mc.prometheusServiceImage, err = components.GetReference(components.ComponentTigeraPrometheusService, reg, path, prefix, is) + mc.prometheusServiceImage, err = components.GetReference(components.CombinedCalicoImage(mc.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -642,6 +642,7 @@ func (mc *monitorComponent) prometheus() *monitoringv1.Prometheus { Name: "authn-proxy", Image: mc.prometheusServiceImage, ImagePullPolicy: render.ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "prometheus-service"}, Ports: []corev1.ContainerPort{ { ContainerPort: PrometheusProxyPort, From 90153902c0f419f915ad5ef4a12eca28131b3da0 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Tue, 5 May 2026 13:40:13 -0700 Subject: [PATCH 04/18] policy-recommendation: use combined calico image Render the policy-recommendation-controller container with the calico image and dispatch via "calico component policy-recommendation". --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 10 ---------- pkg/components/enterprise.go | 9 --------- .../policyrecommendation_controller_test.go | 8 ++++---- pkg/render/policyrecommendation.go | 3 ++- 5 files changed, 6 insertions(+), 27 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index 4611acbe23..2c3cc8fe2b 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -81,9 +81,6 @@ components: packetcapture: image: packetcapture version: master - policy-recommendation: - image: policy-recommendation - version: master # coreos-prometheus holds the version of prometheus built for tigera/prometheus, # which prometheus operator uses to validate. coreos-prometheus: diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index f8f4718736..a6925bfe14 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -226,15 +226,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "policy-recommendation" }} - ComponentPolicyRecommendation = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "egress-gateway" }} ComponentEgressGateway = Component{ Version: "{{ .Version }}", @@ -446,7 +437,6 @@ var ( ComponentManager, ComponentDex, ComponentPacketCapture, - ComponentPolicyRecommendation, ComponentEgressGateway, ComponentL7Collector, ComponentGatewayL7Collector, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 8f80055e29..b0200b6e9b 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -203,14 +203,6 @@ var ( variant: enterpriseVariant, } - ComponentPolicyRecommendation = Component{ - Version: "master", - Image: "policy-recommendation", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentEgressGateway = Component{ Version: "master", Image: "egress-gateway", @@ -399,7 +391,6 @@ var ( ComponentManager, ComponentDex, ComponentPacketCapture, - ComponentPolicyRecommendation, ComponentEgressGateway, ComponentL7Collector, ComponentGatewayL7Collector, diff --git a/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go b/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go index 2fa82e54ad..9b3b9d7c15 100644 --- a/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go +++ b/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go @@ -194,8 +194,8 @@ var _ = Describe("PolicyRecommendation controller tests", func() { Expect(controller).ToNot(BeNil()) Expect(controller.Image).To(Equal(fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentPolicyRecommendation.Image, - components.ComponentPolicyRecommendation.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) }) It("should use images from imageset", func() { @@ -203,7 +203,7 @@ var _ = Describe("PolicyRecommendation controller tests", func() { ObjectMeta: metav1.ObjectMeta{Name: "enterprise-" + components.EnterpriseRelease}, Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{ - {Image: "tigera/policy-recommendation", Digest: "sha256:policyrecommendationcontrollerhash"}, + {Image: "tigera/calico", Digest: "sha256:policyrecommendationcontrollerhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, @@ -226,7 +226,7 @@ var _ = Describe("PolicyRecommendation controller tests", func() { Expect(controller.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentPolicyRecommendation.Image, + components.ComponentTigeraCalico.Image, "sha256:policyrecommendationcontrollerhash"))) }) }) diff --git a/pkg/render/policyrecommendation.go b/pkg/render/policyrecommendation.go index a54a90b555..9526d9d2a9 100644 --- a/pkg/render/policyrecommendation.go +++ b/pkg/render/policyrecommendation.go @@ -97,7 +97,7 @@ func (pr *policyRecommendationComponent) ResolveImages(is *operatorv1.ImageSet) prefix := pr.cfg.Installation.ImagePrefix var err error - pr.image, err = components.GetReference(components.ComponentPolicyRecommendation, reg, path, prefix, is) + pr.image, err = components.GetReference(components.CombinedCalicoImage(pr.cfg.Installation), reg, path, prefix, is) if err != nil { return err } @@ -361,6 +361,7 @@ func (pr *policyRecommendationComponent) deployment() *appsv1.Deployment { Name: "policy-recommendation-controller", Image: pr.image, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "policy-recommendation"}, Env: envs, SecurityContext: securitycontext.NewNonRootContext(), VolumeMounts: volumeMounts, From 831589e122fdeeef51afa930b3af2d27c27e859a Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Tue, 5 May 2026 13:58:37 -0700 Subject: [PATCH 05/18] webhooks-processor: switch to combined calico image Drop ComponentSecurityEventWebhooksProcessor from the enterprise component list and point the webhooks-processor container in the intrusion detection render at CombinedCalicoImage with the "calico component webhooks-processor" entrypoint. --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 10 ---------- pkg/components/enterprise.go | 9 --------- .../intrusiondetection_controller_test.go | 3 +-- pkg/render/intrusion_detection.go | 3 ++- 5 files changed, 3 insertions(+), 25 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index 2c3cc8fe2b..705dabee2d 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -54,9 +54,6 @@ components: waf-http-filter: image: waf-http-filter version: master - webhooks-processor: - image: webhooks-processor - version: master compliance-controller: image: compliance-controller version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index a6925bfe14..6256f9d6b5 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -181,15 +181,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "webhooks-processor" }} - ComponentSecurityEventWebhooksProcessor = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with .Components.kibana }} ComponentKibana = Component{ Version: "{{ .Version }}", @@ -432,7 +423,6 @@ var ( ComponentFluentdWindows, ComponentIntrusionDetectionController, ComponentWAFHTTPFilter, - ComponentSecurityEventWebhooksProcessor, ComponentKibana, ComponentManager, ComponentDex, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index b0200b6e9b..e38ad37eef 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -163,14 +163,6 @@ var ( variant: enterpriseVariant, } - ComponentSecurityEventWebhooksProcessor = Component{ - Version: "master", - Image: "webhooks-processor", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentKibana = Component{ Version: "master", Image: "kibana", @@ -386,7 +378,6 @@ var ( ComponentFluentdWindows, ComponentIntrusionDetectionController, ComponentWAFHTTPFilter, - ComponentSecurityEventWebhooksProcessor, ComponentKibana, ComponentManager, ComponentDex, diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go index 5be8dc13bb..3f576c2b02 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go @@ -267,8 +267,7 @@ var _ = Describe("IntrusionDetection controller tests", func() { Images: []operatorv1.Image{ {Image: "tigera/intrusion-detection-controller", Digest: "sha256:intrusiondetectioncontrollerhash"}, {Image: "tigera/deep-packet-inspection", Digest: "sha256:deeppacketinspectionhash"}, - {Image: "tigera/webhooks-processor", Digest: "sha256:webhooksprocessorhash"}, - {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, + {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, })).ToNot(HaveOccurred()) diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go index 2c27553543..d7284c3f05 100644 --- a/pkg/render/intrusion_detection.go +++ b/pkg/render/intrusion_detection.go @@ -137,7 +137,7 @@ func (c *intrusionDetectionComponent) ResolveImages(is *operatorv1.ImageSet) err errMsgs = append(errMsgs, err.Error()) } - c.webhooksProcessorImage, err = components.GetReference(components.ComponentSecurityEventWebhooksProcessor, reg, path, prefix, is) + c.webhooksProcessorImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -688,6 +688,7 @@ func (c *intrusionDetectionComponent) webhooksControllerContainer() corev1.Conta Name: "webhooks-processor", Image: c.webhooksProcessorImage, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "webhooks-processor"}, Env: envVars, SecurityContext: securitycontext.NewNonRootContext(), VolumeMounts: volumeMounts, From 15068d06abb1d1070602e33ce0d9b89574e77746 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Tue, 5 May 2026 18:35:56 -0700 Subject: [PATCH 06/18] queryserver: switch to combined calico image Drop ComponentQueryServer from the enterprise component list and point the queryserver container in the apiserver render at CombinedCalicoImage with the "calico component queryserver" entrypoint. Also drop the stale ComponentTigeraPrometheusService list reference in the enterprise template that was left behind by the prometheus-service migration. --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 11 ----------- pkg/components/enterprise.go | 9 --------- pkg/controller/apiserver/apiserver_controller_test.go | 9 ++++----- pkg/render/apiserver.go | 5 ++--- pkg/render/apiserver_test.go | 2 +- 6 files changed, 7 insertions(+), 32 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index 705dabee2d..45be392729 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -114,9 +114,6 @@ components: dikastes: image: dikastes version: master - queryserver: - image: queryserver - version: master l7-admission-controller: image: l7-admission-controller version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index 6256f9d6b5..18f35bba84 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -261,15 +261,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "queryserver" }} - ComponentQueryServer = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "l7-admission-controller" }} ComponentL7AdmissionController = Component{ Version: "{{ .Version }}", @@ -432,9 +423,7 @@ var ( ComponentGatewayL7Collector, ComponentEnvoyProxy, ComponentDikastes, - ComponentQueryServer, ComponentPrometheus, - ComponentTigeraPrometheusService, ComponentPrometheusAlertmanager, ComponentTigeraNode, ComponentTigeraNodeWindows, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index e38ad37eef..5bc8d24b6d 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -234,14 +234,6 @@ var ( variant: enterpriseVariant, } - ComponentQueryServer = Component{ - Version: "master", - Image: "queryserver", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentL7AdmissionController = Component{ Version: "master", Image: "l7-admission-controller", @@ -387,7 +379,6 @@ var ( ComponentGatewayL7Collector, ComponentEnvoyProxy, ComponentDikastes, - ComponentQueryServer, ComponentPrometheus, ComponentPrometheusAlertmanager, ComponentTigeraNode, diff --git a/pkg/controller/apiserver/apiserver_controller_test.go b/pkg/controller/apiserver/apiserver_controller_test.go index 9095e64f8e..b70bd58906 100644 --- a/pkg/controller/apiserver/apiserver_controller_test.go +++ b/pkg/controller/apiserver/apiserver_controller_test.go @@ -198,8 +198,8 @@ var _ = Describe("apiserver controller tests", func() { Expect(qserver.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentQueryServer.Image, - components.ComponentQueryServer.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) Expect(d.Spec.Template.Spec.InitContainers).To(HaveLen(2)) csrinit := test.GetContainer(d.Spec.Template.Spec.InitContainers, "calico-apiserver-certs-key-cert-provisioner") Expect(csrinit).ToNot(BeNil()) @@ -218,7 +218,6 @@ var _ = Describe("apiserver controller tests", func() { Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{ {Image: "tigera/calico", Digest: "sha256:calicohash"}, - {Image: "tigera/queryserver", Digest: "sha256:queryserverhash"}, }, }, })).ToNot(HaveOccurred()) @@ -258,8 +257,8 @@ var _ = Describe("apiserver controller tests", func() { Expect(qserver.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentQueryServer.Image, - "sha256:queryserverhash"))) + components.ComponentTigeraCalico.Image, + "sha256:calicohash"))) csrinit := test.GetContainer(d.Spec.Template.Spec.InitContainers, "calico-apiserver-certs-key-cert-provisioner") Expect(csrinit).ToNot(BeNil()) Expect(csrinit.Image).To(Equal( diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go index bcb00f31cf..f84cdcb7ab 100644 --- a/pkg/render/apiserver.go +++ b/pkg/render/apiserver.go @@ -175,9 +175,7 @@ func (c *apiServerComponent) ResolveImages(is *operatorv1.ImageSet) error { } if enterprise { - // queryserver and dikastes don't yet ship as part of the combined calico image - // in enterprise, so resolve them from their own component images. - c.queryServerImage, err = components.GetReference(components.ComponentQueryServer, reg, path, prefix, is) + c.queryServerImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -1307,6 +1305,7 @@ func (c *apiServerComponent) queryServerContainer() corev1.Container { Name: string(TigeraAPIServerQueryServerContainerName), Image: c.queryServerImage, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "queryserver"}, Env: env, LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ diff --git a/pkg/render/apiserver_test.go b/pkg/render/apiserver_test.go index 94033edd67..6165e2952e 100644 --- a/pkg/render/apiserver_test.go +++ b/pkg/render/apiserver_test.go @@ -245,7 +245,7 @@ var _ = Describe("API server rendering tests (Calico Enterprise)", func() { Expect(d.Spec.Template.Spec.Containers[1].Name).To(Equal("tigera-queryserver")) Expect(d.Spec.Template.Spec.Containers[1].Image).To(Equal( - fmt.Sprintf("testregistry.com/%s%s:%s", components.TigeraImagePath, components.ComponentQueryServer.Image, components.ComponentQueryServer.Version), + fmt.Sprintf("testregistry.com/%s%s:%s", components.TigeraImagePath, components.ComponentTigeraCalico.Image, components.ComponentTigeraCalico.Version), )) Expect(d.Spec.Template.Spec.Containers[1].Args).To(BeEmpty()) From e61ea802bf87d370860d8416794d69bd7c4d9c4e Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Tue, 5 May 2026 18:56:48 -0700 Subject: [PATCH 07/18] packetcapture: switch to combined calico image Drop ComponentPacketCapture from the enterprise component list and point the packetcapture container in the packet-capture API render at CombinedCalicoImage with the "calico component packetcapture" entrypoint. --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 10 ---------- pkg/components/enterprise.go | 9 --------- .../packetcapture/packetcapture_controller_test.go | 9 ++++----- pkg/render/packet_capture_api.go | 3 ++- pkg/render/packet_capture_api_test.go | 3 ++- 6 files changed, 8 insertions(+), 29 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index 45be392729..8e989f3d68 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -75,9 +75,6 @@ components: elasticsearch-metrics: image: elasticsearch-metrics version: master - packetcapture: - image: packetcapture - version: master # coreos-prometheus holds the version of prometheus built for tigera/prometheus, # which prometheus operator uses to validate. coreos-prometheus: diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index 18f35bba84..b94b667db2 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -208,15 +208,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "packetcapture" }} - ComponentPacketCapture = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "egress-gateway" }} ComponentEgressGateway = Component{ Version: "{{ .Version }}", @@ -417,7 +408,6 @@ var ( ComponentKibana, ComponentManager, ComponentDex, - ComponentPacketCapture, ComponentEgressGateway, ComponentL7Collector, ComponentGatewayL7Collector, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 5bc8d24b6d..f68419d117 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -187,14 +187,6 @@ var ( variant: enterpriseVariant, } - ComponentPacketCapture = Component{ - Version: "master", - Image: "packetcapture", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentEgressGateway = Component{ Version: "master", Image: "egress-gateway", @@ -373,7 +365,6 @@ var ( ComponentKibana, ComponentManager, ComponentDex, - ComponentPacketCapture, ComponentEgressGateway, ComponentL7Collector, ComponentGatewayL7Collector, diff --git a/pkg/controller/packetcapture/packetcapture_controller_test.go b/pkg/controller/packetcapture/packetcapture_controller_test.go index b389003e52..c5497e61d8 100644 --- a/pkg/controller/packetcapture/packetcapture_controller_test.go +++ b/pkg/controller/packetcapture/packetcapture_controller_test.go @@ -187,8 +187,8 @@ var _ = Describe("packet capture controller tests", func() { Expect(pcContainer.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentPacketCapture.Image, - components.ComponentPacketCapture.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) Expect(pcContainer.VolumeMounts).To(ConsistOf([]corev1.VolumeMount{ { Name: packetCaptureSecret.Name, @@ -227,7 +227,6 @@ var _ = Describe("packet capture controller tests", func() { Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{ {Image: "tigera/calico", Digest: "sha256:calicocsrinithash"}, - {Image: "tigera/packetcapture", Digest: "sha256:packetcapturehash"}, }, }, })).ToNot(HaveOccurred()) @@ -249,8 +248,8 @@ var _ = Describe("packet capture controller tests", func() { Expect(pcContainer.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentPacketCapture.Image, - "sha256:packetcapturehash"))) + components.ComponentTigeraCalico.Image, + "sha256:calicocsrinithash"))) csrinitContainer := test.GetContainer(pcDeployment.Spec.Template.Spec.InitContainers, "tigera-packetcapture-server-tls-key-cert-provisioner") Expect(csrinitContainer).ToNot(BeNil()) Expect(csrinitContainer.Image).To(Equal( diff --git a/pkg/render/packet_capture_api.go b/pkg/render/packet_capture_api.go index 5a82bd7cbb..8015fc443c 100644 --- a/pkg/render/packet_capture_api.go +++ b/pkg/render/packet_capture_api.go @@ -99,7 +99,7 @@ func (pc *packetCaptureApiComponent) ResolveImages(is *operatorv1.ImageSet) erro prefix := pc.cfg.Installation.ImagePrefix var err error - pc.image, err = components.GetReference(components.ComponentPacketCapture, reg, path, prefix, is) + pc.image, err = components.GetReference(components.CombinedCalicoImage(pc.cfg.Installation), reg, path, prefix, is) if err != nil { return err } @@ -305,6 +305,7 @@ func (pc *packetCaptureApiComponent) container() corev1.Container { Name: PacketCaptureContainerName, Image: pc.image, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "packetcapture"}, LivenessProbe: pc.healthProbe(), ReadinessProbe: pc.healthProbe(), SecurityContext: securitycontext.NewNonRootContext(), diff --git a/pkg/render/packet_capture_api_test.go b/pkg/render/packet_capture_api_test.go index f491611134..0245e77395 100644 --- a/pkg/render/packet_capture_api_test.go +++ b/pkg/render/packet_capture_api_test.go @@ -192,7 +192,8 @@ var _ = Describe("Rendering tests for PacketCapture API component", func() { return []corev1.Container{ { Name: render.PacketCaptureContainerName, - Image: fmt.Sprintf("%s%s%s:%s", components.TigeraRegistry, components.TigeraImagePath, components.ComponentPacketCapture.Image, components.ComponentPacketCapture.Version), + Image: fmt.Sprintf("%s%s%s:%s", components.TigeraRegistry, components.TigeraImagePath, components.ComponentTigeraCalico.Image, components.ComponentTigeraCalico.Version), + Command: []string{components.CalicoBinaryPath, "component", "packetcapture"}, ImagePullPolicy: render.ImagePullPolicy(), SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(false), From 62ea129aa324458cfb57c6464468ebc684a522aa Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Tue, 5 May 2026 19:10:26 -0700 Subject: [PATCH 08/18] applicationlayer: use combined calico image for l7-collector MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Point the l7-collector container at CombinedCalicoImage with command [/usr/bin/calico component l7-collector]. ComponentL7Collector and its config/template entries are dropped — the collector now ships inside the combined calico image. --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 11 ----------- pkg/components/enterprise.go | 9 --------- .../applicationlayer_controller_test.go | 2 +- pkg/render/applicationlayer/applicationlayer.go | 3 ++- 5 files changed, 3 insertions(+), 25 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index 8e989f3d68..21cab2a6e4 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -99,9 +99,6 @@ components: # Elasticsearch eck-elasticsearch-operator: version: 2.16.0 - l7-collector: - image: l7-collector - version: master gateway-l7-collector: image: gateway-l7-collector version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index b94b667db2..46389578c9 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -217,15 +217,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "l7-collector" }} - ComponentL7Collector = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "gateway-l7-collector" }} ComponentGatewayL7Collector = Component{ Version: "{{ .Version }}", @@ -409,7 +400,6 @@ var ( ComponentManager, ComponentDex, ComponentEgressGateway, - ComponentL7Collector, ComponentGatewayL7Collector, ComponentEnvoyProxy, ComponentDikastes, @@ -420,7 +410,6 @@ var ( ComponentTigeraCNIWindows, ComponentElasticsearchMetrics, ComponentESGateway, - ComponentLinseed, ComponentL7AdmissionController, ComponentGatewayAPIEnvoyGateway, ComponentGatewayAPIEnvoyProxy, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index f68419d117..6178f390f8 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -195,14 +195,6 @@ var ( variant: enterpriseVariant, } - ComponentL7Collector = Component{ - Version: "master", - Image: "l7-collector", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentGatewayL7Collector = Component{ Version: "master", Image: "gateway-l7-collector", @@ -366,7 +358,6 @@ var ( ComponentManager, ComponentDex, ComponentEgressGateway, - ComponentL7Collector, ComponentGatewayL7Collector, ComponentEnvoyProxy, ComponentDikastes, diff --git a/pkg/controller/applicationlayer/applicationlayer_controller_test.go b/pkg/controller/applicationlayer/applicationlayer_controller_test.go index 36d7ca5d90..c6f8f51ede 100644 --- a/pkg/controller/applicationlayer/applicationlayer_controller_test.go +++ b/pkg/controller/applicationlayer/applicationlayer_controller_test.go @@ -274,7 +274,7 @@ var _ = Describe("Application layer controller tests", func() { Expect(l7collector).ToNot(BeNil()) Expect(l7collector.Image).To(Equal(fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentL7Collector.Image, components.ComponentL7Collector.Version))) + components.ComponentTigeraCalico.Image, components.ComponentTigeraCalico.Version))) By("ensuring that felix configuration updated to enabled") fc := v3.FelixConfiguration{ diff --git a/pkg/render/applicationlayer/applicationlayer.go b/pkg/render/applicationlayer/applicationlayer.go index 7e480cf25c..99ffe7eeb5 100644 --- a/pkg/render/applicationlayer/applicationlayer.go +++ b/pkg/render/applicationlayer/applicationlayer.go @@ -132,7 +132,7 @@ func (c *component) ResolveImages(is *operatorv1.ImageSet) error { errMsgs = append(errMsgs, err.Error()) } - c.config.collectorImage, err = components.GetReference(components.ComponentL7Collector, reg, path, prefix, is) + c.config.collectorImage, err = components.GetReference(components.CombinedCalicoImage(c.config.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -291,6 +291,7 @@ func (c *component) containers() []corev1.Container { Name: L7CollectorContainerName, Image: c.config.collectorImage, ImagePullPolicy: render.ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "l7-collector"}, Env: c.collectorEnv(), SecurityContext: securitycontext.NewRootContext(false), VolumeMounts: c.collectorVolMounts(), From 5284e1cba1792e4ace8b6bdaaf2f0408d3fb0b8d Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Tue, 5 May 2026 22:33:25 -0700 Subject: [PATCH 09/18] packetcapture: set Variant=Enterprise in render tests The packet capture api is enterprise-only, so the test installations need to declare the Enterprise variant for CombinedCalicoImage to resolve to the tigera image. Was relying on the empty default before the move to CombinedCalicoImage. --- pkg/render/packet_capture_api_test.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/pkg/render/packet_capture_api_test.go b/pkg/render/packet_capture_api_test.go index 0245e77395..02d4310759 100644 --- a/pkg/render/packet_capture_api_test.go +++ b/pkg/render/packet_capture_api_test.go @@ -79,7 +79,7 @@ var _ = Describe("Rendering tests for PacketCapture API component", func() { }, }} // Installation with minimal setup - defaultInstallation := operatorv1.InstallationSpec{} + defaultInstallation := operatorv1.InstallationSpec{Variant: operatorv1.TigeraSecureEnterprise} // Rendering packet capture resources renderPacketCapture := func(i operatorv1.InstallationSpec, config authentication.KeyValidatorConfig) (resources []client.Object) { @@ -351,6 +351,7 @@ var _ = Describe("Rendering tests for PacketCapture API component", func() { Value: "bar", } resources := renderPacketCapture(operatorv1.InstallationSpec{ + Variant: operatorv1.TigeraSecureEnterprise, ControlPlaneTolerations: []corev1.Toleration{t}, }, nil) @@ -363,6 +364,7 @@ var _ = Describe("Rendering tests for PacketCapture API component", func() { It("should render toleration on GKE", func() { resources := renderPacketCapture(operatorv1.InstallationSpec{ + Variant: operatorv1.TigeraSecureEnterprise, KubernetesProvider: operatorv1.ProviderGKE, }, nil) deployment := rtest.GetResource(resources, render.PacketCaptureDeploymentName, render.PacketCaptureNamespace, "apps", "v1", "Deployment").(*appsv1.Deployment) @@ -377,6 +379,7 @@ var _ = Describe("Rendering tests for PacketCapture API component", func() { It("should render SecurityContextConstrains properly when provider is OpenShift", func() { resources := renderPacketCapture(operatorv1.InstallationSpec{ + Variant: operatorv1.TigeraSecureEnterprise, KubernetesProvider: operatorv1.ProviderOpenShift, }, nil) @@ -392,7 +395,7 @@ var _ = Describe("Rendering tests for PacketCapture API component", func() { It("should render all resources for an installation with certificate management", func() { ca, _ := tls.MakeCA(rmeta.DefaultOperatorCASignerName()) cert, _, _ := ca.Config.GetPEMBytes() // create a valid pem block - installation := operatorv1.InstallationSpec{CertificateManagement: &operatorv1.CertificateManagement{CACert: cert}} + installation := operatorv1.InstallationSpec{Variant: operatorv1.TigeraSecureEnterprise, CertificateManagement: &operatorv1.CertificateManagement{CACert: cert}} certificateManager, err := certificatemanager.Create(cli, &installation, clusterDomain, common.OperatorNamespace(), certificatemanager.AllowCACreation()) Expect(err).NotTo(HaveOccurred()) @@ -461,7 +464,7 @@ var _ = Describe("Rendering tests for PacketCapture API component", func() { It("should override container's resource request and render init container with default values", func() { ca, _ := tls.MakeCA(rmeta.DefaultOperatorCASignerName()) cert, _, _ := ca.Config.GetPEMBytes() // create a valid pem block - installation := operatorv1.InstallationSpec{CertificateManagement: &operatorv1.CertificateManagement{CACert: cert}} + installation := operatorv1.InstallationSpec{Variant: operatorv1.TigeraSecureEnterprise, CertificateManagement: &operatorv1.CertificateManagement{CACert: cert}} certificateManager, err := certificatemanager.Create(cli, &installation, clusterDomain, common.OperatorNamespace(), certificatemanager.AllowCACreation()) Expect(err).NotTo(HaveOccurred()) From 5bb9dcae81c273f06e3f59917892669c9c6ec545 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Wed, 6 May 2026 06:47:43 -0700 Subject: [PATCH 10/18] apiserver: use combined calico image for l7-admission-controller Point the calico-l7-admission-controller container at CombinedCalicoImage with command [/usr/bin/calico component l7-admission-controller]. ComponentL7AdmissionController and its config/template entries are removed - it ships inside the combined calico image now. --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 10 ---------- pkg/components/enterprise.go | 9 --------- pkg/render/apiserver.go | 3 ++- 4 files changed, 2 insertions(+), 23 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index 21cab2a6e4..e4b10d1a14 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -108,9 +108,6 @@ components: dikastes: image: dikastes version: master - l7-admission-controller: - image: l7-admission-controller - version: master egress-gateway: image: egress-gateway version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index 46389578c9..c6fbcedef2 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -243,15 +243,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "l7-admission-controller" }} - ComponentL7AdmissionController = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "coreos-prometheus" }} ComponentCoreOSPrometheus = Component{ Version: "{{ .Version }}", @@ -410,7 +401,6 @@ var ( ComponentTigeraCNIWindows, ComponentElasticsearchMetrics, ComponentESGateway, - ComponentL7AdmissionController, ComponentGatewayAPIEnvoyGateway, ComponentGatewayAPIEnvoyProxy, ComponentGatewayAPIEnvoyRatelimit, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 6178f390f8..97fdc58dcd 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -218,14 +218,6 @@ var ( variant: enterpriseVariant, } - ComponentL7AdmissionController = Component{ - Version: "master", - Image: "l7-admission-controller", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentCoreOSPrometheus = Component{ Version: "v3.9.1", variant: enterpriseVariant, @@ -368,7 +360,6 @@ var ( ComponentTigeraCNIWindows, ComponentElasticsearchMetrics, ComponentESGateway, - ComponentL7AdmissionController, ComponentGatewayAPIEnvoyGateway, ComponentGatewayAPIEnvoyProxy, ComponentGatewayAPIEnvoyRatelimit, diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go index f84cdcb7ab..e1918e4fb5 100644 --- a/pkg/render/apiserver.go +++ b/pkg/render/apiserver.go @@ -180,7 +180,7 @@ func (c *apiServerComponent) ResolveImages(is *operatorv1.ImageSet) error { errMsgs = append(errMsgs, err.Error()) } if c.cfg.IsSidecarInjectionEnabled() { - c.l7AdmissionControllerImage, err = components.GetReference(components.ComponentL7AdmissionController, reg, path, prefix, is) + c.l7AdmissionControllerImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -2255,6 +2255,7 @@ func (c *apiServerComponent) l7AdmissionControllerContainer() corev1.Container { Name: string(L7AdmissionControllerContainerName), Image: c.l7AdmissionControllerImage, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "l7-admission-controller"}, Env: []corev1.EnvVar{ { Name: "L7ADMCTRL_TLSCERTPATH", From fd3d0e8bcd20d8bf8b6c60719fb28ec5904001f2 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Wed, 6 May 2026 07:37:06 -0700 Subject: [PATCH 11/18] manager: use combined calico image for ui-apis and dashboard-api Drop ComponentUIAPIs from enterprise.go, the gen-versions template, and config/enterprise_versions.yml, and point both the ui-apis and dashboard-api containers in the manager deployment at CombinedCalicoImage(installation) with the corresponding 'calico component ' entrypoints. The dashboard readiness probe becomes 'calico component dashboards ready'. --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 10 ---------- pkg/components/enterprise.go | 9 --------- .../manager/manager_controller_test.go | 20 +++++++++---------- pkg/render/manager.go | 9 +++++---- pkg/render/manager_test.go | 8 ++++---- 6 files changed, 18 insertions(+), 41 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index e4b10d1a14..0a6b435e7b 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -21,9 +21,6 @@ components: fluentd-windows: image: fluentd-windows version: master - ui-apis: - image: ui-apis - version: master es-gateway: image: es-gateway version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index c6fbcedef2..fe1855c6d9 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -127,15 +127,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "ui-apis" }} - ComponentUIAPIs = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "es-gateway" }} ComponentESGateway = Component{ Version: "{{ .Version }}", @@ -382,7 +373,6 @@ var ( ComponentElasticTseeInstaller, ComponentElasticsearch, ComponentElasticsearchOperator, - ComponentUIAPIs, ComponentFluentd, ComponentFluentdWindows, ComponentIntrusionDetectionController, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 97fdc58dcd..70dcf87073 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -115,14 +115,6 @@ var ( variant: enterpriseVariant, } - ComponentUIAPIs = Component{ - Version: "master", - Image: "ui-apis", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentESGateway = Component{ Version: "master", Image: "es-gateway", @@ -341,7 +333,6 @@ var ( ComponentElasticTseeInstaller, ComponentElasticsearch, ComponentElasticsearchOperator, - ComponentUIAPIs, ComponentFluentd, ComponentFluentdWindows, ComponentIntrusionDetectionController, diff --git a/pkg/controller/manager/manager_controller_test.go b/pkg/controller/manager/manager_controller_test.go index 3eed8a23f0..47c83cec1b 100644 --- a/pkg/controller/manager/manager_controller_test.go +++ b/pkg/controller/manager/manager_controller_test.go @@ -626,15 +626,15 @@ var _ = Describe("Manager controller tests", func() { Expect(dashboard.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentUIAPIs.Image, - components.ComponentUIAPIs.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) uiAPIContainer := test.GetContainer(d.Spec.Template.Spec.Containers, render.UIAPIsName) Expect(uiAPIContainer).ToNot(BeNil()) Expect(uiAPIContainer.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentUIAPIs.Image, - components.ComponentUIAPIs.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) vltrn := test.GetContainer(d.Spec.Template.Spec.Containers, render.VoltronName) Expect(vltrn).ToNot(BeNil()) Expect(vltrn.Image).To(Equal( @@ -650,8 +650,6 @@ var _ = Describe("Manager controller tests", func() { Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{ {Image: "tigera/manager", Digest: "sha256:managerhash"}, - {Image: "tigera/ui-apis", Digest: "sha256:uiapihash"}, - {Image: "tigera/calico", Digest: "sha256:voltronhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, @@ -680,22 +678,22 @@ var _ = Describe("Manager controller tests", func() { Expect(dashboard.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentUIAPIs.Image, - "sha256:uiapihash"))) + components.ComponentTigeraCalico.Image, + "sha256:deadbeef0123456789"))) uiAPIContainer := test.GetContainer(d.Spec.Template.Spec.Containers, render.UIAPIsName) Expect(uiAPIContainer).ToNot(BeNil()) Expect(uiAPIContainer.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentUIAPIs.Image, - "sha256:uiapihash"))) + components.ComponentTigeraCalico.Image, + "sha256:deadbeef0123456789"))) vltrn := test.GetContainer(d.Spec.Template.Spec.Containers, render.VoltronName) Expect(vltrn).ToNot(BeNil()) Expect(vltrn.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, components.ComponentTigeraCalico.Image, - "sha256:voltronhash"))) + "sha256:deadbeef0123456789"))) }) }) diff --git a/pkg/render/manager.go b/pkg/render/manager.go index 134a888e58..cec6a2811d 100644 --- a/pkg/render/manager.go +++ b/pkg/render/manager.go @@ -243,7 +243,7 @@ func (c *managerComponent) ResolveImages(is *operatorv1.ImageSet) error { errMsgs = append(errMsgs, err.Error()) } - c.uiAPIsImage, err = components.GetReference(components.ComponentUIAPIs, reg, path, prefix, is) + c.uiAPIsImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -704,14 +704,14 @@ func (c *managerComponent) dashboardContainer() corev1.Container { Name: DashboardAPIName, Image: c.uiAPIsImage, ImagePullPolicy: ImagePullPolicy(), - Command: []string{"/usr/bin/dashboard-api"}, + Command: []string{components.CalicoBinaryPath, "component", "dashboards"}, Env: env, VolumeMounts: mounts, SecurityContext: securitycontext.NewNonRootContext(), ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ Exec: &corev1.ExecAction{ - Command: []string{"/usr/bin/dashboard-api", "-ready"}, + Command: []string{components.CalicoBinaryPath, "component", "dashboards", "ready"}, }, }, FailureThreshold: 3, @@ -723,7 +723,7 @@ func (c *managerComponent) dashboardContainer() corev1.Container { LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ Exec: &corev1.ExecAction{ - Command: []string{"/usr/bin/dashboard-api", "-ready"}, + Command: []string{components.CalicoBinaryPath, "component", "dashboards", "ready"}, }, }, FailureThreshold: 3, @@ -795,6 +795,7 @@ func (c *managerComponent) managerUIAPIsContainer() corev1.Container { Name: UIAPIsName, Image: c.uiAPIsImage, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "ui-apis"}, LivenessProbe: c.managerUIAPIsProbe(), SecurityContext: securitycontext.NewNonRootContext(), Env: env, diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go index 6b3ffc8087..d9f00ee20a 100644 --- a/pkg/render/manager_test.go +++ b/pkg/render/manager_test.go @@ -130,8 +130,8 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { manager := deployment.Spec.Template.Spec.Containers[3] Expect(manager.Image).Should(Equal(components.TigeraRegistry + "tigera/manager:" + components.ComponentManager.Version)) - Expect(uiAPIs.Image).Should(Equal(components.TigeraRegistry + "tigera/ui-apis:" + components.ComponentUIAPIs.Version)) - Expect(dashboard.Image).Should(Equal(components.TigeraRegistry + "tigera/ui-apis:" + components.ComponentUIAPIs.Version)) + Expect(uiAPIs.Image).Should(Equal(components.CalicoRegistry + "calico/calico:" + components.ComponentCalico.Version)) + Expect(dashboard.Image).Should(Equal(components.CalicoRegistry + "calico/calico:" + components.ComponentCalico.Version)) Expect(voltron.Image).Should(Equal(components.CalicoRegistry + "calico/calico:" + components.ComponentCalico.Version)) // manager container @@ -203,9 +203,9 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { Expect(dashboard.VolumeMounts[1].MountPath).To(Equal(fmt.Sprintf("/%s", render.ManagerInternalTLSSecretName))) Expect(dashboard.ReadinessProbe).NotTo(BeNil()) - Expect(dashboard.ReadinessProbe.ProbeHandler.Exec.Command).To(Equal([]string{"/usr/bin/dashboard-api", "-ready"})) + Expect(dashboard.ReadinessProbe.ProbeHandler.Exec.Command).To(Equal([]string{"/usr/bin/calico", "component", "dashboards", "ready"})) Expect(dashboard.LivenessProbe).NotTo(BeNil()) - Expect(dashboard.LivenessProbe.ProbeHandler.Exec.Command).To(Equal([]string{"/usr/bin/dashboard-api", "-ready"})) + Expect(dashboard.LivenessProbe.ProbeHandler.Exec.Command).To(Equal([]string{"/usr/bin/calico", "component", "dashboards", "ready"})) Expect(dashboard.SecurityContext).NotTo(BeNil()) Expect(*dashboard.SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) From 29a2d0c7365936e23eb0fc05e94b07c57997f443 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Wed, 6 May 2026 08:18:02 -0700 Subject: [PATCH 12/18] compliance: use combined calico image for server/controller/reporter/snapshotter Compliance server, controller, reporter, and snapshotter now run from the calico mono-image via "calico component " subcommands. Benchmarker stays on its own image since it bundles kube-bench and kubectl. --- config/enterprise_versions.yml | 12 ------ hack/gen-versions/enterprise.go.tpl | 40 ------------------- pkg/components/enterprise.go | 36 ----------------- .../compliance/compliance_controller_test.go | 36 ++++++++--------- pkg/render/compliance.go | 12 ++++-- 5 files changed, 24 insertions(+), 112 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index 0a6b435e7b..a41907d249 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -51,18 +51,6 @@ components: waf-http-filter: image: waf-http-filter version: master - compliance-controller: - image: compliance-controller - version: master - compliance-reporter: - image: compliance-reporter - version: master - compliance-snapshotter: - image: compliance-snapshotter - version: master - compliance-server: - image: compliance-server - version: master compliance-benchmarker: image: compliance-benchmarker version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index fe1855c6d9..a249d13903 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -37,42 +37,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "compliance-controller" }} - ComponentComplianceController = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} -{{ with index .Components "compliance-reporter" }} - ComponentComplianceReporter = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} -{{ with index .Components "compliance-server" }} - ComponentComplianceServer = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} -{{ with index .Components "compliance-snapshotter" }} - ComponentComplianceSnapshotter = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "deep-packet-inspection" }} ComponentDeepPacketInspection = Component{ Version: "{{ .Version }}", @@ -365,10 +329,6 @@ var ( EnterpriseImages = []Component{ ComponentTigeraCalico, ComponentComplianceBenchmarker, - ComponentComplianceController, - ComponentComplianceReporter, - ComponentComplianceServer, - ComponentComplianceSnapshotter, ComponentDeepPacketInspection, ComponentElasticTseeInstaller, ComponentElasticsearch, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 70dcf87073..b74cac6f86 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -36,38 +36,6 @@ var ( variant: enterpriseVariant, } - ComponentComplianceController = Component{ - Version: "master", - Image: "compliance-controller", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - - ComponentComplianceReporter = Component{ - Version: "master", - Image: "compliance-reporter", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - - ComponentComplianceServer = Component{ - Version: "master", - Image: "compliance-server", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - - ComponentComplianceSnapshotter = Component{ - Version: "master", - Image: "compliance-snapshotter", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentDeepPacketInspection = Component{ Version: "master", Image: "deep-packet-inspection", @@ -325,10 +293,6 @@ var ( EnterpriseImages = []Component{ ComponentTigeraCalico, ComponentComplianceBenchmarker, - ComponentComplianceController, - ComponentComplianceReporter, - ComponentComplianceServer, - ComponentComplianceSnapshotter, ComponentDeepPacketInspection, ComponentElasticTseeInstaller, ComponentElasticsearch, diff --git a/pkg/controller/compliance/compliance_controller_test.go b/pkg/controller/compliance/compliance_controller_test.go index 4bb60c6f1e..7ec3dec59b 100644 --- a/pkg/controller/compliance/compliance_controller_test.go +++ b/pkg/controller/compliance/compliance_controller_test.go @@ -451,8 +451,8 @@ var _ = Describe("Compliance controller tests", func() { Expect(controller.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentComplianceController.Image, - components.ComponentComplianceController.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) pt := corev1.PodTemplate{ TypeMeta: metav1.TypeMeta{Kind: "PodTemplate", APIVersion: "v1"}, @@ -468,8 +468,8 @@ var _ = Describe("Compliance controller tests", func() { Expect(reporter.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentComplianceReporter.Image, - components.ComponentComplianceReporter.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) d = appsv1.Deployment{ TypeMeta: metav1.TypeMeta{Kind: "Deployment", APIVersion: "apps/v1"}, @@ -485,8 +485,8 @@ var _ = Describe("Compliance controller tests", func() { Expect(snap.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentComplianceSnapshotter.Image, - components.ComponentComplianceSnapshotter.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) ds := appsv1.DaemonSet{ TypeMeta: metav1.TypeMeta{Kind: "DaemonSet", APIVersion: "apps/v1"}, @@ -519,8 +519,8 @@ var _ = Describe("Compliance controller tests", func() { Expect(server.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentComplianceServer.Image, - components.ComponentComplianceServer.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) }) It("should use images from imageset", func() { Expect(c.Create(ctx, &operatorv1.ImageSet{ @@ -528,10 +528,6 @@ var _ = Describe("Compliance controller tests", func() { Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{ {Image: "tigera/compliance-benchmarker", Digest: "sha256:benchmarkerhash"}, - {Image: "tigera/compliance-controller", Digest: "sha256:controllerhash"}, - {Image: "tigera/compliance-reporter", Digest: "sha256:reporterhash"}, - {Image: "tigera/compliance-server", Digest: "sha256:serverhash"}, - {Image: "tigera/compliance-snapshotter", Digest: "sha256:snapshotterhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, @@ -554,8 +550,8 @@ var _ = Describe("Compliance controller tests", func() { Expect(controller.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentComplianceController.Image, - "sha256:controllerhash"))) + components.ComponentTigeraCalico.Image, + "sha256:deadbeef0123456789"))) pt := corev1.PodTemplate{ TypeMeta: metav1.TypeMeta{Kind: "PodTemplate", APIVersion: "v1"}, @@ -571,8 +567,8 @@ var _ = Describe("Compliance controller tests", func() { Expect(reporter.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentComplianceReporter.Image, - "sha256:reporterhash"))) + components.ComponentTigeraCalico.Image, + "sha256:deadbeef0123456789"))) d = appsv1.Deployment{ TypeMeta: metav1.TypeMeta{Kind: "Deployment", APIVersion: "apps/v1"}, @@ -588,8 +584,8 @@ var _ = Describe("Compliance controller tests", func() { Expect(snap.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentComplianceSnapshotter.Image, - "sha256:snapshotterhash"))) + components.ComponentTigeraCalico.Image, + "sha256:deadbeef0123456789"))) ds := appsv1.DaemonSet{ TypeMeta: metav1.TypeMeta{Kind: "DaemonSet", APIVersion: "apps/v1"}, @@ -622,8 +618,8 @@ var _ = Describe("Compliance controller tests", func() { Expect(server.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentComplianceServer.Image, - "sha256:serverhash"))) + components.ComponentTigeraCalico.Image, + "sha256:deadbeef0123456789"))) }) }) diff --git a/pkg/render/compliance.go b/pkg/render/compliance.go index 53c1e46817..b1e7a8ba8c 100644 --- a/pkg/render/compliance.go +++ b/pkg/render/compliance.go @@ -140,22 +140,22 @@ func (c *complianceComponent) ResolveImages(is *operatorv1.ImageSet) error { errMsgs = append(errMsgs, err.Error()) } - c.snapshotterImage, err = components.GetReference(components.ComponentComplianceSnapshotter, reg, path, prefix, is) + c.snapshotterImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } - c.serverImage, err = components.GetReference(components.ComponentComplianceServer, reg, path, prefix, is) + c.serverImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } - c.controllerImage, err = components.GetReference(components.ComponentComplianceController, reg, path, prefix, is) + c.controllerImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } - c.reporterImage, err = components.GetReference(components.ComponentComplianceReporter, reg, path, prefix, is) + c.reporterImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -486,6 +486,7 @@ func (c *complianceComponent) complianceControllerDeployment() *appsv1.Deploymen Name: ComplianceControllerName, Image: c.controllerImage, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "compliance-controller"}, Env: envVars, LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ @@ -686,6 +687,7 @@ func (c *complianceComponent) complianceReporterPodTemplate() *corev1.PodTemplat Name: "reporter", Image: c.reporterImage, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "compliance-reporter"}, Env: envVars, LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ @@ -893,6 +895,7 @@ func (c *complianceComponent) complianceServerDeployment() *appsv1.Deployment { { Name: ComplianceServerName, Image: c.serverImage, + Command: []string{components.CalicoBinaryPath, "component", "compliance-server"}, ImagePullPolicy: ImagePullPolicy(), Env: envVars, LivenessProbe: &corev1.Probe{ @@ -1107,6 +1110,7 @@ func (c *complianceComponent) complianceSnapshotterDeployment() *appsv1.Deployme Name: ComplianceSnapshotterName, Image: c.snapshotterImage, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "compliance-snapshotter"}, Env: envVars, LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ From 7684875ac7760d6983e7a368960fef5d64248952 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Wed, 6 May 2026 21:02:09 -0700 Subject: [PATCH 13/18] intrusion-detection-controller: use combined calico image IDC now runs from the calico mono-image via "calico component intrusion-detection-controller". Liveness probe uses the generic calico health exec command against port 50000. --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 10 ---------- pkg/components/enterprise.go | 11 +---------- .../intrusiondetection_controller_test.go | 11 +++++------ pkg/render/intrusion_detection.go | 10 ++++++---- 5 files changed, 12 insertions(+), 33 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index a41907d249..a0cfa8cc95 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -45,9 +45,6 @@ components: es-curator: image: es-curator version: master - intrusion-detection-controller: - image: intrusion-detection-controller - version: master waf-http-filter: image: waf-http-filter version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index a249d13903..9aa1f65e3b 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -118,15 +118,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "intrusion-detection-controller" }} - ComponentIntrusionDetectionController = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "waf-http-filter" }} ComponentWAFHTTPFilter = Component{ Version: "{{ .Version }}", @@ -335,7 +326,6 @@ var ( ComponentElasticsearchOperator, ComponentFluentd, ComponentFluentdWindows, - ComponentIntrusionDetectionController, ComponentWAFHTTPFilter, ComponentKibana, ComponentManager, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index b74cac6f86..3b446e05e9 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -107,15 +107,7 @@ var ( variant: enterpriseVariant, } - ComponentIntrusionDetectionController = Component{ - Version: "master", - Image: "intrusion-detection-controller", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - - ComponentWAFHTTPFilter = Component{ +ComponentWAFHTTPFilter = Component{ Version: "master", Image: "waf-http-filter", Registry: "", @@ -299,7 +291,6 @@ var ( ComponentElasticsearchOperator, ComponentFluentd, ComponentFluentdWindows, - ComponentIntrusionDetectionController, ComponentWAFHTTPFilter, ComponentKibana, ComponentManager, diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go index 3f576c2b02..090e05960f 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go @@ -223,8 +223,8 @@ var _ = Describe("IntrusionDetection controller tests", func() { Expect(controller.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentIntrusionDetectionController.Image, - components.ComponentIntrusionDetectionController.Version))) + components.ComponentTigeraCalico.Image, + components.ComponentTigeraCalico.Version))) training_pt := corev1.PodTemplate{ TypeMeta: metav1.TypeMeta{ @@ -265,9 +265,8 @@ var _ = Describe("IntrusionDetection controller tests", func() { ObjectMeta: metav1.ObjectMeta{Name: "enterprise-" + components.EnterpriseRelease}, Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{ - {Image: "tigera/intrusion-detection-controller", Digest: "sha256:intrusiondetectioncontrollerhash"}, {Image: "tigera/deep-packet-inspection", Digest: "sha256:deeppacketinspectionhash"}, - {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, + {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, })).ToNot(HaveOccurred()) @@ -289,8 +288,8 @@ var _ = Describe("IntrusionDetection controller tests", func() { Expect(controller.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentIntrusionDetectionController.Image, - "sha256:intrusiondetectioncontrollerhash"))) + components.ComponentTigeraCalico.Image, + "sha256:deadbeef0123456789"))) ds := appsv1.DaemonSet{ TypeMeta: metav1.TypeMeta{Kind: "DaemonSet", APIVersion: "apps/v1"}, diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go index d7284c3f05..15ded6aa03 100644 --- a/pkg/render/intrusion_detection.go +++ b/pkg/render/intrusion_detection.go @@ -132,7 +132,7 @@ func (c *intrusionDetectionComponent) ResolveImages(is *operatorv1.ImageSet) err var errMsgs []string var err error - c.controllerImage, err = components.GetReference(components.ComponentIntrusionDetectionController, reg, path, prefix, is) + c.controllerImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -770,14 +770,16 @@ func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() co Name: "controller", Image: c.controllerImage, ImagePullPolicy: ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "intrusion-detection-controller"}, Env: envs, - // Needed for permissions to write to the audit log LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ Exec: &corev1.ExecAction{ Command: []string{ - "/usr/bin/healthz", - "liveness", + components.CalicoBinaryPath, + "health", + "--port=50000", + "--type=liveness", }, }, }, From 7229cec4f4470629c489c6cd267665fb0bff08d4 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Wed, 6 May 2026 22:12:30 -0700 Subject: [PATCH 14/18] elasticsearch-metrics: use combined calico image Runs from the calico mono-image via "calico component elasticsearch-metrics". --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 10 ---------- pkg/components/enterprise.go | 9 --------- .../logstorage/elastic/elastic_controller_test.go | 1 - .../kubecontrollers/es_kube_controllers_test.go | 1 - .../logstorage/linseed/linseed_controller_test.go | 2 -- .../logstorage/esmetrics/elasticsearch_metrics.go | 4 ++-- .../logstorage/esmetrics/elasticsearch_metrics_test.go | 7 ++++--- 8 files changed, 6 insertions(+), 31 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index a0cfa8cc95..4ccc82d091 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -54,9 +54,6 @@ components: tigera-cni-windows: image: cni-windows version: master - elasticsearch-metrics: - image: elasticsearch-metrics - version: master # coreos-prometheus holds the version of prometheus built for tigera/prometheus, # which prometheus operator uses to validate. coreos-prometheus: diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index 9aa1f65e3b..a70a8274da 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -246,15 +246,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "elasticsearch-metrics" }} - ComponentElasticsearchMetrics = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with index .Components "gateway-api-envoy-gateway" }} ComponentGatewayAPIEnvoyGateway = Component{ Version: "{{ .Version }}", @@ -339,7 +330,6 @@ var ( ComponentTigeraNode, ComponentTigeraNodeWindows, ComponentTigeraCNIWindows, - ComponentElasticsearchMetrics, ComponentESGateway, ComponentGatewayAPIEnvoyGateway, ComponentGatewayAPIEnvoyProxy, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 3b446e05e9..95c160022e 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -220,14 +220,6 @@ ComponentWAFHTTPFilter = Component{ variant: enterpriseVariant, } - ComponentElasticsearchMetrics = Component{ - Version: "master", - Image: "elasticsearch-metrics", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentGatewayAPIEnvoyGateway = Component{ Version: "master", Image: "envoy-gateway", @@ -304,7 +296,6 @@ ComponentWAFHTTPFilter = Component{ ComponentTigeraNode, ComponentTigeraNodeWindows, ComponentTigeraCNIWindows, - ComponentElasticsearchMetrics, ComponentESGateway, ComponentGatewayAPIEnvoyGateway, ComponentGatewayAPIEnvoyProxy, diff --git a/pkg/controller/logstorage/elastic/elastic_controller_test.go b/pkg/controller/logstorage/elastic/elastic_controller_test.go index ab547721aa..6eb3581d63 100644 --- a/pkg/controller/logstorage/elastic/elastic_controller_test.go +++ b/pkg/controller/logstorage/elastic/elastic_controller_test.go @@ -1043,7 +1043,6 @@ var _ = Describe("LogStorage controller", func() { {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, - {Image: "tigera/elasticsearch-metrics", Digest: "sha256:esmetricshash"}, {Image: "tigera/es-gateway", Digest: "sha256:esgatewayhash"}, {Image: "tigera/linseed", Digest: "sha256:linseedhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, diff --git a/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go b/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go index 337d7bdc86..01ad666a91 100644 --- a/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go +++ b/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go @@ -261,7 +261,6 @@ var _ = Describe("LogStorage ES kube-controllers controller", func() { {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, - {Image: "tigera/elasticsearch-metrics", Digest: "sha256:esmetricshash"}, {Image: "tigera/es-gateway", Digest: "sha256:esgatewayhash"}, {Image: "tigera/linseed", Digest: "sha256:linseedhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, diff --git a/pkg/controller/logstorage/linseed/linseed_controller_test.go b/pkg/controller/logstorage/linseed/linseed_controller_test.go index bc6823677c..e0bd3dbd6b 100644 --- a/pkg/controller/logstorage/linseed/linseed_controller_test.go +++ b/pkg/controller/logstorage/linseed/linseed_controller_test.go @@ -260,7 +260,6 @@ var _ = Describe("LogStorage Linseed controller", func() { {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, - {Image: "tigera/elasticsearch-metrics", Digest: "sha256:esmetricshash"}, {Image: "tigera/es-gateway", Digest: "sha256:esgatewayhash"}, {Image: "tigera/calico", Digest: "sha256:linseedhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, @@ -483,7 +482,6 @@ var _ = Describe("LogStorage Linseed controller", func() { {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, - {Image: "tigera/elasticsearch-metrics", Digest: "sha256:esmetricshash"}, {Image: "tigera/es-gateway", Digest: "sha256:esgatewayhash"}, {Image: "tigera/calico", Digest: "sha256:linseedhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, diff --git a/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go b/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go index 444b1afcb4..97e09f71ba 100644 --- a/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go +++ b/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go @@ -82,7 +82,7 @@ func (e *elasticsearchMetrics) ResolveImages(is *operatorv1.ImageSet) error { path := e.cfg.Installation.ImagePath prefix := e.cfg.Installation.ImagePrefix - e.esMetricsImage, err = components.GetReference(components.ComponentElasticsearchMetrics, reg, path, prefix, is) + e.esMetricsImage, err = components.GetReference(components.CombinedCalicoImage(e.cfg.Installation), reg, path, prefix, is) if err != nil { return err } @@ -237,7 +237,7 @@ func (e *elasticsearchMetrics) metricsDeployment() *appsv1.Deployment { Image: e.esMetricsImage, ImagePullPolicy: render.ImagePullPolicy(), SecurityContext: sc, - Command: []string{"/bin/elasticsearch_exporter"}, + Command: []string{components.CalicoBinaryPath, "component", "elasticsearch-metrics"}, Args: []string{ "--es.uri=https://$(ELASTIC_USERNAME):$(ELASTIC_PASSWORD)@$(ELASTIC_HOST):$(ELASTIC_PORT)", "--es.all", "--es.indices", "--es.indices_settings", "--es.shards", "--es.cluster_settings", diff --git a/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go b/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go index b39b9566ab..dcb2664210 100644 --- a/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go +++ b/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go @@ -60,6 +60,7 @@ var _ = Describe("Elasticsearch metrics", func() { installation := &operatorv1.InstallationSpec{ KubernetesProvider: operatorv1.ProviderOpenShift, Registry: "testregistry.com/", + Variant: operatorv1.TigeraSecureEnterprise, } esConfig = relasticsearch.NewClusterConfig("cluster", 1, 1, 1) @@ -93,7 +94,7 @@ var _ = Describe("Elasticsearch metrics", func() { Expect(component.ResolveImages(&operatorv1.ImageSet{ Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{{ - Image: "tigera/elasticsearch-metrics", + Image: "tigera/calico", Digest: "testdigest", }}, }, @@ -163,8 +164,8 @@ var _ = Describe("Elasticsearch metrics", func() { ImagePullSecrets: []corev1.LocalObjectReference{{Name: "pullsecret"}}, Containers: []corev1.Container{{ Name: ElasticsearchMetricsName, - Image: "testregistry.com/tigera/elasticsearch-metrics@testdigest", - Command: []string{"/bin/elasticsearch_exporter"}, + Image: "testregistry.com/tigera/calico@testdigest", + Command: []string{"/usr/bin/calico", "component", "elasticsearch-metrics"}, Args: []string{ "--es.uri=https://$(ELASTIC_USERNAME):$(ELASTIC_PASSWORD)@$(ELASTIC_HOST):$(ELASTIC_PORT)", "--es.all", "--es.indices", "--es.indices_settings", "--es.shards", "--es.cluster_settings", From 7cc898a0c7109bc40de7c578f1d8c5f617b2a5cc Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Wed, 6 May 2026 22:39:48 -0700 Subject: [PATCH 15/18] es-gateway: use combined calico image Migrate es-gateway to run as a subcommand of the calico mono-image binary. --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 10 ---------- pkg/components/enterprise.go | 9 --------- .../logstorage/elastic/elastic_controller_test.go | 1 - .../kubecontrollers/es_kube_controllers_test.go | 1 - .../logstorage/linseed/linseed_controller_test.go | 2 -- pkg/render/logstorage/esgateway/esgateway.go | 3 ++- pkg/render/logstorage/esgateway/esgateway_test.go | 1 + 8 files changed, 3 insertions(+), 27 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index 4ccc82d091..f407fd7daf 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -21,9 +21,6 @@ components: fluentd-windows: image: fluentd-windows version: master - es-gateway: - image: es-gateway - version: master dex: image: dex version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index a70a8274da..c20db780eb 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -91,15 +91,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "es-gateway" }} - ComponentESGateway = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with .Components.fluentd }} ComponentFluentd = Component{ Version: "{{ .Version }}", @@ -330,7 +321,6 @@ var ( ComponentTigeraNode, ComponentTigeraNodeWindows, ComponentTigeraCNIWindows, - ComponentESGateway, ComponentGatewayAPIEnvoyGateway, ComponentGatewayAPIEnvoyProxy, ComponentGatewayAPIEnvoyRatelimit, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 95c160022e..7234946826 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -83,14 +83,6 @@ var ( variant: enterpriseVariant, } - ComponentESGateway = Component{ - Version: "master", - Image: "es-gateway", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - ComponentFluentd = Component{ Version: "master", Image: "fluentd", @@ -296,7 +288,6 @@ ComponentWAFHTTPFilter = Component{ ComponentTigeraNode, ComponentTigeraNodeWindows, ComponentTigeraCNIWindows, - ComponentESGateway, ComponentGatewayAPIEnvoyGateway, ComponentGatewayAPIEnvoyProxy, ComponentGatewayAPIEnvoyRatelimit, diff --git a/pkg/controller/logstorage/elastic/elastic_controller_test.go b/pkg/controller/logstorage/elastic/elastic_controller_test.go index 6eb3581d63..143908a3ba 100644 --- a/pkg/controller/logstorage/elastic/elastic_controller_test.go +++ b/pkg/controller/logstorage/elastic/elastic_controller_test.go @@ -1043,7 +1043,6 @@ var _ = Describe("LogStorage controller", func() { {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, - {Image: "tigera/es-gateway", Digest: "sha256:esgatewayhash"}, {Image: "tigera/linseed", Digest: "sha256:linseedhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, diff --git a/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go b/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go index 01ad666a91..31531e2802 100644 --- a/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go +++ b/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go @@ -261,7 +261,6 @@ var _ = Describe("LogStorage ES kube-controllers controller", func() { {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, - {Image: "tigera/es-gateway", Digest: "sha256:esgatewayhash"}, {Image: "tigera/linseed", Digest: "sha256:linseedhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, diff --git a/pkg/controller/logstorage/linseed/linseed_controller_test.go b/pkg/controller/logstorage/linseed/linseed_controller_test.go index e0bd3dbd6b..01ac6c136f 100644 --- a/pkg/controller/logstorage/linseed/linseed_controller_test.go +++ b/pkg/controller/logstorage/linseed/linseed_controller_test.go @@ -260,7 +260,6 @@ var _ = Describe("LogStorage Linseed controller", func() { {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, - {Image: "tigera/es-gateway", Digest: "sha256:esgatewayhash"}, {Image: "tigera/calico", Digest: "sha256:linseedhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, @@ -482,7 +481,6 @@ var _ = Describe("LogStorage Linseed controller", func() { {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, - {Image: "tigera/es-gateway", Digest: "sha256:esgatewayhash"}, {Image: "tigera/calico", Digest: "sha256:linseedhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, diff --git a/pkg/render/logstorage/esgateway/esgateway.go b/pkg/render/logstorage/esgateway/esgateway.go index b53373d18b..ec217ae11e 100644 --- a/pkg/render/logstorage/esgateway/esgateway.go +++ b/pkg/render/logstorage/esgateway/esgateway.go @@ -92,7 +92,7 @@ func (e *esGateway) ResolveImages(is *operatorv1.ImageSet) error { var err error errMsgs := []string{} - e.esGatewayImage, err = components.GetReference(components.ComponentESGateway, reg, path, prefix, is) + e.esGatewayImage, err = components.GetReference(components.CombinedCalicoImage(e.cfg.Installation), reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) } @@ -254,6 +254,7 @@ func (e *esGateway) esGatewayDeployment() *appsv1.Deployment { Name: DeploymentName, Image: e.esGatewayImage, ImagePullPolicy: render.ImagePullPolicy(), + Command: []string{components.CalicoBinaryPath, "component", "es-gateway"}, Env: envVars, VolumeMounts: volumeMounts, ReadinessProbe: &corev1.Probe{ diff --git a/pkg/render/logstorage/esgateway/esgateway_test.go b/pkg/render/logstorage/esgateway/esgateway_test.go index b0d4f45d91..d50bc74264 100644 --- a/pkg/render/logstorage/esgateway/esgateway_test.go +++ b/pkg/render/logstorage/esgateway/esgateway_test.go @@ -68,6 +68,7 @@ var _ = Describe("ES Gateway rendering tests", func() { ControlPlaneReplicas: &replicas, KubernetesProvider: operatorv1.ProviderNone, Registry: "testregistry.com/", + Variant: operatorv1.TigeraSecureEnterprise, } replicas = 2 kp, bundle := getTLS(cli, installation) From f2e886a7ea5457357c45623ba5b31f54bd515259 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Thu, 7 May 2026 06:57:55 -0700 Subject: [PATCH 16/18] waf-http-filter: use combined calico image Migrate waf-http-filter to run as a subcommand of the calico mono-image binary. --- config/enterprise_versions.yml | 3 --- hack/gen-versions/enterprise.go.tpl | 10 ---------- pkg/components/enterprise.go | 11 +---------- pkg/render/gatewayapi/gateway_api.go | 13 +++++++------ 4 files changed, 8 insertions(+), 29 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index f407fd7daf..d9dcda7ee4 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -42,9 +42,6 @@ components: es-curator: image: es-curator version: master - waf-http-filter: - image: waf-http-filter - version: master compliance-benchmarker: image: compliance-benchmarker version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index c20db780eb..b231073979 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -109,15 +109,6 @@ var ( variant: enterpriseVariant, } {{- end }} -{{ with index .Components "waf-http-filter" }} - ComponentWAFHTTPFilter = Component{ - Version: "{{ .Version }}", - Image: "{{ .Image }}", - Registry: "{{ .Registry }}", - imagePath: "{{ .ImagePath }}", - variant: enterpriseVariant, - } -{{- end }} {{ with .Components.kibana }} ComponentKibana = Component{ Version: "{{ .Version }}", @@ -308,7 +299,6 @@ var ( ComponentElasticsearchOperator, ComponentFluentd, ComponentFluentdWindows, - ComponentWAFHTTPFilter, ComponentKibana, ComponentManager, ComponentDex, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index 7234946826..deac8a05db 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -99,15 +99,7 @@ var ( variant: enterpriseVariant, } -ComponentWAFHTTPFilter = Component{ - Version: "master", - Image: "waf-http-filter", - Registry: "", - imagePath: "", - variant: enterpriseVariant, - } - - ComponentKibana = Component{ +ComponentKibana = Component{ Version: "master", Image: "kibana", Registry: "", @@ -275,7 +267,6 @@ ComponentWAFHTTPFilter = Component{ ComponentElasticsearchOperator, ComponentFluentd, ComponentFluentdWindows, - ComponentWAFHTTPFilter, ComponentKibana, ComponentManager, ComponentDex, diff --git a/pkg/render/gatewayapi/gateway_api.go b/pkg/render/gatewayapi/gateway_api.go index e64cbe6f95..b2483e564d 100644 --- a/pkg/render/gatewayapi/gateway_api.go +++ b/pkg/render/gatewayapi/gateway_api.go @@ -443,7 +443,7 @@ func (pr *gatewayAPIImplementationComponent) ResolveImages(is *operatorv1.ImageS if err != nil { return err } - pr.wafHTTPFilterImage, err = components.GetReference(components.ComponentWAFHTTPFilter, reg, path, prefix, is) + pr.wafHTTPFilterImage, err = components.GetReference(components.CombinedCalicoImage(pr.cfg.Installation), reg, path, prefix, is) if err != nil { return err } @@ -767,14 +767,15 @@ func (pr *gatewayAPIImplementationComponent) envoyProxyConfig(className string, if envoyProxy.Spec.Provider.Kubernetes.EnvoyDeployment != nil { // Add or update the Init Container to the deployment wafHTTPFilter := corev1.Container{ - Name: wafFilterName, - Image: pr.wafHTTPFilterImage, + Name: wafFilterName, + Image: pr.wafHTTPFilterImage, + Command: []string{components.CalicoBinaryPath, "component", "waf-http-filter"}, Args: []string{ - "-logFileDirectory", + "--logFileDirectory", "/var/log/calico/waf", - "-logFileName", + "--logFileName", "waf.log", - "-socketPath", + "--socketPath", "/var/run/waf-http-filter/extproc.sock", }, RestartPolicy: ptr.To(corev1.ContainerRestartPolicyAlways), From fffc3b0e1ba4260d28d8977c46c232afb979ab50 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Thu, 7 May 2026 07:20:31 -0700 Subject: [PATCH 17/18] logstorage tests: drop stale tigera/linseed and dedupe tigera/calico imageset entries Fallout from folding linseed and other components into the calico mono-image. The shared imageset fixtures still listed tigera/linseed and had multiple tigera/calico entries with different digests, which caused the reconcilers to either reject the imageset or pick the wrong digest. --- pkg/controller/logstorage/elastic/elastic_controller_test.go | 2 -- .../logstorage/kubecontrollers/es_kube_controllers_test.go | 2 -- pkg/controller/logstorage/linseed/linseed_controller_test.go | 4 ---- 3 files changed, 8 deletions(-) diff --git a/pkg/controller/logstorage/elastic/elastic_controller_test.go b/pkg/controller/logstorage/elastic/elastic_controller_test.go index 143908a3ba..fca9ed1ad7 100644 --- a/pkg/controller/logstorage/elastic/elastic_controller_test.go +++ b/pkg/controller/logstorage/elastic/elastic_controller_test.go @@ -1043,8 +1043,6 @@ var _ = Describe("LogStorage controller", func() { {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, - {Image: "tigera/linseed", Digest: "sha256:linseedhash"}, - {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, })).ToNot(HaveOccurred()) diff --git a/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go b/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go index 31531e2802..b35d072664 100644 --- a/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go +++ b/pkg/controller/logstorage/kubecontrollers/es_kube_controllers_test.go @@ -261,8 +261,6 @@ var _ = Describe("LogStorage ES kube-controllers controller", func() { {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, - {Image: "tigera/linseed", Digest: "sha256:linseedhash"}, - {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, })).ToNot(HaveOccurred()) diff --git a/pkg/controller/logstorage/linseed/linseed_controller_test.go b/pkg/controller/logstorage/linseed/linseed_controller_test.go index 01ac6c136f..9a1128a11a 100644 --- a/pkg/controller/logstorage/linseed/linseed_controller_test.go +++ b/pkg/controller/logstorage/linseed/linseed_controller_test.go @@ -257,11 +257,9 @@ var _ = Describe("LogStorage Linseed controller", func() { Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{ {Image: "tigera/elasticsearch", Digest: "sha256:elasticsearchhash"}, - {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, {Image: "tigera/calico", Digest: "sha256:linseedhash"}, - {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, })).ToNot(HaveOccurred()) @@ -478,11 +476,9 @@ var _ = Describe("LogStorage Linseed controller", func() { Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{ {Image: "tigera/elasticsearch", Digest: "sha256:elasticsearchhash"}, - {Image: "tigera/calico", Digest: "sha256:kubecontrollershash"}, {Image: "tigera/kibana", Digest: "sha256:kibanahash"}, {Image: "tigera/eck-operator", Digest: "sha256:eckoperatorhash"}, {Image: "tigera/calico", Digest: "sha256:linseedhash"}, - {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, })).ToNot(HaveOccurred()) From 934d16ec5393e14718a0ca4985609778c486f148 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Thu, 7 May 2026 10:56:26 -0700 Subject: [PATCH 18/18] intrusion-detection-controller: render against wrapper image Pair to the calico-private change that brings back a thin IDC image wrapping calico with the GeoIP databases layered on top. Operator points the IDC controller container back at ComponentIntrusionDetectionController so the deployment pulls the wrapper instead of the bare calico image. The binary itself still ships as a cobra subcommand of calico - the wrapper image's entrypoint is calico component intrusion-detection-controller. --- config/enterprise_versions.yml | 3 + hack/gen-versions/enterprise.go.tpl | 10 +++ pkg/components/enterprise.go | 73 +++++++++++-------- .../intrusiondetection_controller_test.go | 9 ++- pkg/render/intrusion_detection.go | 2 +- 5 files changed, 60 insertions(+), 37 deletions(-) diff --git a/config/enterprise_versions.yml b/config/enterprise_versions.yml index d9dcda7ee4..5aace63256 100644 --- a/config/enterprise_versions.yml +++ b/config/enterprise_versions.yml @@ -42,6 +42,9 @@ components: es-curator: image: es-curator version: master + intrusion-detection-controller: + image: intrusion-detection-controller + version: master compliance-benchmarker: image: compliance-benchmarker version: master diff --git a/hack/gen-versions/enterprise.go.tpl b/hack/gen-versions/enterprise.go.tpl index b231073979..7ed9089073 100644 --- a/hack/gen-versions/enterprise.go.tpl +++ b/hack/gen-versions/enterprise.go.tpl @@ -109,6 +109,15 @@ var ( variant: enterpriseVariant, } {{- end }} +{{ with index .Components "intrusion-detection-controller" }} + ComponentIntrusionDetectionController = Component{ + Version: "{{ .Version }}", + Image: "{{ .Image }}", + Registry: "{{ .Registry }}", + imagePath: "{{ .ImagePath }}", + variant: enterpriseVariant, + } +{{- end }} {{ with .Components.kibana }} ComponentKibana = Component{ Version: "{{ .Version }}", @@ -299,6 +308,7 @@ var ( ComponentElasticsearchOperator, ComponentFluentd, ComponentFluentdWindows, + ComponentIntrusionDetectionController, ComponentKibana, ComponentManager, ComponentDex, diff --git a/pkg/components/enterprise.go b/pkg/components/enterprise.go index deac8a05db..956caf058a 100644 --- a/pkg/components/enterprise.go +++ b/pkg/components/enterprise.go @@ -18,10 +18,10 @@ package components var ( - EnterpriseRelease string = "master" + EnterpriseRelease string = "test-build" ComponentTigeraCalico = Component{ - Version: "master", + Version: "test-build", Image: "calico", Registry: "", imagePath: "", @@ -29,7 +29,7 @@ var ( } ComponentComplianceBenchmarker = Component{ - Version: "master", + Version: "test-build", Image: "compliance-benchmarker", Registry: "", imagePath: "", @@ -37,7 +37,7 @@ var ( } ComponentDeepPacketInspection = Component{ - Version: "master", + Version: "test-build", Image: "deep-packet-inspection", Registry: "", imagePath: "", @@ -45,17 +45,17 @@ var ( } ComponentEckElasticsearch = Component{ - Version: "8.19.10", + Version: "8.19.12", variant: enterpriseVariant, } ComponentEckKibana = Component{ - Version: "8.19.10", + Version: "8.19.12", variant: enterpriseVariant, } ComponentElasticTseeInstaller = Component{ - Version: "master", + Version: "test-build", Image: "intrusion-detection-job-installer", Registry: "", imagePath: "", @@ -63,7 +63,7 @@ var ( } ComponentElasticsearch = Component{ - Version: "master", + Version: "test-build", Image: "elasticsearch", Registry: "", imagePath: "", @@ -71,12 +71,12 @@ var ( } ComponentECKElasticsearchOperator = Component{ - Version: "2.16.0", + Version: "3.3.2", variant: enterpriseVariant, } ComponentElasticsearchOperator = Component{ - Version: "master", + Version: "test-build", Image: "eck-operator", Registry: "", imagePath: "", @@ -84,7 +84,7 @@ var ( } ComponentFluentd = Component{ - Version: "master", + Version: "test-build", Image: "fluentd", Registry: "", imagePath: "", @@ -92,15 +92,23 @@ var ( } ComponentFluentdWindows = Component{ - Version: "master", + Version: "test-build", Image: "fluentd-windows", Registry: "", imagePath: "", variant: enterpriseVariant, } -ComponentKibana = Component{ - Version: "master", + ComponentIntrusionDetectionController = Component{ + Version: "test-build", + Image: "intrusion-detection-controller", + Registry: "", + imagePath: "", + variant: enterpriseVariant, + } + + ComponentKibana = Component{ + Version: "test-build", Image: "kibana", Registry: "", imagePath: "", @@ -108,7 +116,7 @@ ComponentKibana = Component{ } ComponentManager = Component{ - Version: "master", + Version: "test-build", Image: "manager", Registry: "", imagePath: "", @@ -116,7 +124,7 @@ ComponentKibana = Component{ } ComponentDex = Component{ - Version: "master", + Version: "test-build", Image: "dex", Registry: "", imagePath: "", @@ -124,7 +132,7 @@ ComponentKibana = Component{ } ComponentEgressGateway = Component{ - Version: "master", + Version: "test-build", Image: "egress-gateway", Registry: "", imagePath: "", @@ -132,14 +140,14 @@ ComponentKibana = Component{ } ComponentGatewayL7Collector = Component{ - Version: "master", + Version: "test-build", Image: "gateway-l7-collector", Registry: "", variant: enterpriseVariant, } ComponentEnvoyProxy = Component{ - Version: "master", + Version: "test-build", Image: "envoy", Registry: "", imagePath: "", @@ -147,7 +155,7 @@ ComponentKibana = Component{ } ComponentDikastes = Component{ - Version: "master", + Version: "test-build", Image: "dikastes", Registry: "", imagePath: "", @@ -160,7 +168,7 @@ ComponentKibana = Component{ } ComponentPrometheus = Component{ - Version: "master", + Version: "test-build", Image: "prometheus", Registry: "", imagePath: "", @@ -173,7 +181,7 @@ ComponentKibana = Component{ } ComponentPrometheusAlertmanager = Component{ - Version: "master", + Version: "test-build", Image: "alertmanager", Registry: "", imagePath: "", @@ -181,7 +189,7 @@ ComponentKibana = Component{ } ComponentTigeraNode = Component{ - Version: "master", + Version: "test-build", Image: "node", Registry: "", imagePath: "", @@ -189,7 +197,7 @@ ComponentKibana = Component{ } ComponentTigeraNodeWindows = Component{ - Version: "master", + Version: "test-build", Image: "node-windows", Registry: "", imagePath: "", @@ -197,7 +205,7 @@ ComponentKibana = Component{ } ComponentTigeraCNIWindows = Component{ - Version: "master", + Version: "test-build", Image: "cni-windows", Registry: "", imagePath: "", @@ -205,7 +213,7 @@ ComponentKibana = Component{ } ComponentGatewayAPIEnvoyGateway = Component{ - Version: "master", + Version: "test-build", Image: "envoy-gateway", Registry: "", imagePath: "", @@ -213,7 +221,7 @@ ComponentKibana = Component{ } ComponentGatewayAPIEnvoyProxy = Component{ - Version: "master", + Version: "test-build", Image: "envoy-proxy", Registry: "", imagePath: "", @@ -221,7 +229,7 @@ ComponentKibana = Component{ } ComponentGatewayAPIEnvoyRatelimit = Component{ - Version: "master", + Version: "test-build", Image: "envoy-ratelimit", Registry: "", imagePath: "", @@ -229,28 +237,28 @@ ComponentKibana = Component{ } ComponentIstioPilot = Component{ - Version: "master", + Version: "test-build", Image: "istio-pilot", Registry: "", variant: enterpriseVariant, } ComponentIstioInstallCNI = Component{ - Version: "master", + Version: "test-build", Image: "istio-install-cni", Registry: "", variant: enterpriseVariant, } ComponentIstioZTunnel = Component{ - Version: "master", + Version: "test-build", Image: "istio-ztunnel", Registry: "", variant: enterpriseVariant, } ComponentIstioProxyv2 = Component{ - Version: "master", + Version: "test-build", Image: "istio-proxyv2", Registry: "", variant: enterpriseVariant, @@ -267,6 +275,7 @@ ComponentKibana = Component{ ComponentElasticsearchOperator, ComponentFluentd, ComponentFluentdWindows, + ComponentIntrusionDetectionController, ComponentKibana, ComponentManager, ComponentDex, diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go index 090e05960f..38abc7364b 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go @@ -223,8 +223,8 @@ var _ = Describe("IntrusionDetection controller tests", func() { Expect(controller.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s:%s", components.TigeraImagePath, - components.ComponentTigeraCalico.Image, - components.ComponentTigeraCalico.Version))) + components.ComponentIntrusionDetectionController.Image, + components.ComponentIntrusionDetectionController.Version))) training_pt := corev1.PodTemplate{ TypeMeta: metav1.TypeMeta{ @@ -266,6 +266,7 @@ var _ = Describe("IntrusionDetection controller tests", func() { Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{ {Image: "tigera/deep-packet-inspection", Digest: "sha256:deeppacketinspectionhash"}, + {Image: "tigera/intrusion-detection-controller", Digest: "sha256:intrusiondetectioncontrollerhash"}, {Image: "tigera/calico", Digest: "sha256:deadbeef0123456789"}, }, }, @@ -288,8 +289,8 @@ var _ = Describe("IntrusionDetection controller tests", func() { Expect(controller.Image).To(Equal( fmt.Sprintf("some.registry.org/%s%s@%s", components.TigeraImagePath, - components.ComponentTigeraCalico.Image, - "sha256:deadbeef0123456789"))) + components.ComponentIntrusionDetectionController.Image, + "sha256:intrusiondetectioncontrollerhash"))) ds := appsv1.DaemonSet{ TypeMeta: metav1.TypeMeta{Kind: "DaemonSet", APIVersion: "apps/v1"}, diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go index 15ded6aa03..8577ea205a 100644 --- a/pkg/render/intrusion_detection.go +++ b/pkg/render/intrusion_detection.go @@ -132,7 +132,7 @@ func (c *intrusionDetectionComponent) ResolveImages(is *operatorv1.ImageSet) err var errMsgs []string var err error - c.controllerImage, err = components.GetReference(components.CombinedCalicoImage(c.cfg.Installation), reg, path, prefix, is) + c.controllerImage, err = components.GetReference(components.ComponentIntrusionDetectionController, reg, path, prefix, is) if err != nil { errMsgs = append(errMsgs, err.Error()) }