tigera · caseydavenport · Mar 23, 2026 · Mar 24, 2026
@@ -21,3 +21,5 @@ components:
     version: master
   csi-node-driver-registrar:
     version: master
+  calico/calico:
+    version: master
@@ -80,6 +80,12 @@ var (
 		Version: "{{ .Version }}",
 		Image:   "{{ .Image }}",
 	}
+{{- end }}
+{{ with index .Components "calico/calico"}}
+	ComponentCalico = component{
+		Version: "{{ .Version }}",
+		Image:   "{{ .Image }}",
+	}
 {{- end }}
 	ComponentOperatorInit = component{
 		Version: version.VERSION,
@@ -98,5 +104,6 @@ var (
 		ComponentWindowsUpgrade,
 		ComponentCalicoCSI,
 		ComponentCalicoCSIRegistrar,
+		ComponentCalico,
 	}
 )
@@ -44,6 +44,7 @@ var defaultImages = map[string]string{
 	"calico/apiserver":           "calico/apiserver",
 	"calico/windows-upgrade":     "calico/windows-upgrade",
 	"tigera/linseed":             "tigera/linseed",
+	"calico/calico":              "calico/calico",
 }
 
 var ignoredImages = map[string]struct{}{
@@ -55,6 +56,19 @@ var ignoredImages = map[string]struct{}{
 	"calico/api":        {},
 	"libcalico-go":      {},
 	"calico/windows":    {},
+	"node-windows":      {},
+	"cni-windows":       {},
+	"goldmane":          {},
+	"webhooks":          {},
+	"whisker":           {},
+	"whisker-backend":   {},
+	"envoy-gateway":     {},
+	"envoy-proxy":       {},
+	"envoy-ratelimit":   {},
+	"istio-pilot":       {},
+	"istio-install-cni": {},
+	"istio-ztunnel":     {},
+	"istio-proxyv2":     {},
 }
 
 type Release struct {

@@ -71,6 +71,11 @@ var (
 		Version: "master",
 		Image:   "calico/node-driver-registrar",
 	}
+
+	ComponentCalico = component{
+		Version: "master",
+		Image:   "calico/calico",
+	}
 	ComponentOperatorInit = component{
 		Version: version.VERSION,
 		Image:   "tigera/operator",
@@ -88,5 +93,6 @@ var (
 		ComponentWindowsUpgrade,
 		ComponentCalicoCSI,
 		ComponentCalicoCSIRegistrar,
+		ComponentCalico,
 	}
 )
@@ -43,7 +43,8 @@ func GetReference(c component, registry, imagePath, imagePrefix string, is *oper
 			ComponentCalicoAPIServer,
 			ComponentWindowsUpgrade,
 			ComponentCalicoCSI,
-			ComponentCalicoCSIRegistrar:
+			ComponentCalicoCSIRegistrar,
+			ComponentCalico:
 
 			registry = CalicoRegistry
 		case ComponentOperatorInit:

@@ -146,7 +146,7 @@ func (c *apiServerComponent) ResolveImages(is *operatorv1.ImageSet) error {
 			errMsgs = append(errMsgs, err.Error())
 		}
 	} else {
-		c.apiServerImage, err = components.GetReference(components.ComponentCalicoAPIServer, reg, path, prefix, is)
+		c.apiServerImage, err = components.GetReference(components.ComponentCalico, reg, path, prefix, is)
 		if err != nil {
 			errMsgs = append(errMsgs, err.Error())
 		}
@@ -930,11 +930,17 @@ func (c *apiServerComponent) apiServerContainer() corev1.Container {
 		env = append(env, corev1.EnvVar{Name: "MULTI_INTERFACE_MODE", Value: c.cfg.Installation.CalicoNetwork.MultiInterfaceMode.Value()})
 	}
 
+	var command []string
+	if c.cfg.Installation.Variant != operatorv1.TigeraSecureEnterprise {
+		command = []string{"calico", "apiserver"}
+	}
+
 	apiServer := corev1.Container{
-		Name:  APIServerContainerName,
-		Image: c.apiServerImage,
-		Args:  c.startUpArgs(),
-		Env:   env,
+		Name:    APIServerContainerName,
+		Image:   c.apiServerImage,
+		Command: command,
+		Args:    c.startUpArgs(),
+		Env:     env,
 		// OpenShift apiserver needs privileged access to write audit logs to host path volume.
 		// Audit logs are owned by root on hosts so we need to be root user and group.
 		SecurityContext: securitycontext.NewRootContext(c.cfg.Openshift),

@@ -1612,7 +1612,7 @@ var _ = Describe("API server rendering tests (Calico)", func() {
 		Expect(len(d.Spec.Template.Spec.Containers)).To(Equal(1))
 		Expect(d.Spec.Template.Spec.Containers[0].Name).To(Equal("calico-apiserver"))
 		Expect(d.Spec.Template.Spec.Containers[0].Image).To(Equal(
-			fmt.Sprintf("testregistry.com/%s:%s", components.ComponentCalicoAPIServer.Image, components.ComponentCalicoAPIServer.Version),
+			fmt.Sprintf("testregistry.com/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version),
 		))
 
 		expectedArgs := []string{

@@ -93,10 +93,16 @@ func (c *csiComponent) csiTolerations() []corev1.Toleration {
 
 func (c *csiComponent) csiContainers() []corev1.Container {
 	mountPropagation := corev1.MountPropagationBidirectional
+	var csiCommand []string
+	if c.cfg.Installation.Variant != operatorv1.TigeraSecureEnterprise {
+		csiCommand = []string{"calico", "csi"}
+	}
+
 	csiContainer := corev1.Container{
 		Name:            CSIContainerName,
 		Image:           c.csiImage,
 		ImagePullPolicy: corev1.PullIfNotPresent,
+		Command:         csiCommand,
 		Args: []string{
 			"--nodeid=$(KUBE_NODE_NAME)",
 			"--loglevel=$(LOG_LEVEL)",
@@ -373,12 +379,12 @@ func (c *csiComponent) ResolveImages(is *operatorv1.ImageSet) error {
 
 		c.csiRegistrarImage, err = components.GetReference(components.ComponentCSINodeDriverRegistrarPrivate, reg, path, prefix, is)
 	} else {
-		c.csiImage, err = components.GetReference(components.ComponentCalicoCSI, reg, path, prefix, is)
+		c.csiImage, err = components.GetReference(components.ComponentCalico, reg, path, prefix, is)
 		if err != nil {
 			return err
 		}
 
-		c.csiRegistrarImage, err = components.GetReference(components.ComponentCalicoCSIRegistrar, reg, path, prefix, is)
+		c.csiRegistrarImage, err = components.GetReference(components.ComponentCalico, reg, path, prefix, is)
 	}
 
 	return err

@@ -288,7 +288,7 @@ var _ = Describe("CSI rendering tests", func() {
 		Expect(comp.ResolveImages(nil)).To(BeNil())
 		createObjs, _ := comp.Objects()
 		dsResource := rtest.GetResource(createObjs, "csi-node-driver", common.CalicoNamespace, "apps", "v1", "DaemonSet")
-		Expect(dsResource.(*appsv1.DaemonSet).Spec.Template.Spec.Containers[0].Image).To(Equal(fmt.Sprintf("%s%s:%s", components.CalicoRegistry, components.ComponentCalicoCSI.Image, components.ComponentCalicoCSI.Version)))
-		Expect(dsResource.(*appsv1.DaemonSet).Spec.Template.Spec.Containers[1].Image).To(Equal(fmt.Sprintf("%s%s:%s", components.CalicoRegistry, components.ComponentCalicoCSIRegistrar.Image, components.ComponentCalicoCSIRegistrar.Version)))
+		Expect(dsResource.(*appsv1.DaemonSet).Spec.Template.Spec.Containers[0].Image).To(Equal(fmt.Sprintf("%s%s:%s", components.CalicoRegistry, components.ComponentCalico.Image, components.ComponentCalico.Version)))
+		Expect(dsResource.(*appsv1.DaemonSet).Spec.Template.Spec.Containers[1].Image).To(Equal(fmt.Sprintf("%s%s:%s", components.CalicoRegistry, components.ComponentCalico.Image, components.ComponentCalico.Version)))
 	})
 })
@@ -211,7 +211,7 @@ func (c *kubeControllersComponent) ResolveImages(is *operatorv1.ImageSet) error
 	if c.cfg.Installation.Variant == operatorv1.TigeraSecureEnterprise {
 		c.image, err = components.GetReference(components.ComponentTigeraKubeControllers, reg, path, prefix, is)
 	} else {
-		c.image, err = components.GetReference(components.ComponentCalicoKubeControllers, reg, path, prefix, is)
+		c.image, err = components.GetReference(components.ComponentCalico, reg, path, prefix, is)
 	}
 	return err
 }
@@ -457,19 +457,26 @@ func (c *kubeControllersComponent) controllersDeployment() *appsv1.Deployment {
 	sc.RunAsUser = ptr.Int64ToPtr(999)
 	sc.RunAsGroup = ptr.Int64ToPtr(0)
 
+	readinessCmd := []string{"/usr/bin/check-status", "-r"}
+	livenessCmd := []string{"/usr/bin/check-status", "-l"}
+	var command []string
+	if c.cfg.Installation.Variant != operatorv1.TigeraSecureEnterprise {
+		command = []string{"calico", "kube-controllers"}
+		readinessCmd = []string{"/usr/bin/calico", "check-status", "-r"}
+		livenessCmd = []string{"/usr/bin/calico", "check-status", "-l"}
+	}
+
 	container := corev1.Container{
 		Name:      c.kubeControllerName,
 		Image:     c.image,
+		Command:   command,
 		Env:       env,
 		Resources: c.kubeControllersResources(),
 		ReadinessProbe: &corev1.Probe{
 			PeriodSeconds: int32(10),
 			ProbeHandler: corev1.ProbeHandler{
 				Exec: &corev1.ExecAction{
-					Command: []string{
-						"/usr/bin/check-status",
-						"-r",
-					},
+					Command: readinessCmd,
 				},
 			},
 			TimeoutSeconds: 10,
@@ -480,10 +487,7 @@ func (c *kubeControllersComponent) controllersDeployment() *appsv1.Deployment {
 			FailureThreshold:    int32(6),
 			ProbeHandler: corev1.ProbeHandler{
 				Exec: &corev1.ExecAction{
-					Command: []string{
-						"/usr/bin/check-status",
-						"-l",
-					},
+					Command: livenessCmd,
 				},
 			},
 			TimeoutSeconds: 10,

@@ -183,9 +183,9 @@ var _ = Describe("kube-controllers rendering tests", func() {
 		ds := rtest.GetResource(resources, kubecontrollers.KubeController, common.CalicoNamespace, "apps", "v1", "Deployment").(*appsv1.Deployment)
 		Expect(ds.Spec.Template.Spec.Containers).To(HaveLen(1))
 
-		// Image override results in correct image.
+		// Image override results in correct image (uber image for OSS).
 		Expect(ds.Spec.Template.Spec.Containers[0].Image).To(Equal(
-			fmt.Sprintf("test-reg/%s:%s", components.ComponentCalicoKubeControllers.Image, components.ComponentCalicoKubeControllers.Version),
+			fmt.Sprintf("test-reg/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version),
 		))
 
 		// Verify env

@@ -160,10 +160,10 @@ func (c *nodeComponent) ResolveImages(is *operatorv1.ImageSet) error {
 		if operatorv1.IsFIPSModeEnabled(c.cfg.Installation.FIPSMode) {
 			c.cniImage = appendIfErr(components.GetReference(components.ComponentCalicoCNIFIPS, reg, path, prefix, is))
 		} else {
-			c.cniImage = appendIfErr(components.GetReference(components.ComponentCalicoCNI, reg, path, prefix, is))
+			c.cniImage = appendIfErr(components.GetReference(components.ComponentCalico, reg, path, prefix, is))
 		}
 		c.nodeImage = appendIfErr(components.GetReference(components.ComponentCalicoNode, reg, path, prefix, is))
-		c.flexvolImage = appendIfErr(components.GetReference(components.ComponentFlexVolume, reg, path, prefix, is))
+		c.flexvolImage = appendIfErr(components.GetReference(components.ComponentCalico, reg, path, prefix, is))
 	}
 
 	if len(errMsgs) != 0 {
@@ -959,10 +959,15 @@ func (c *nodeComponent) cniContainer() corev1.Container {
 		{MountPath: "/host/etc/cni/net.d", Name: "cni-net-dir"},
 	}
 
+	cniCommand := []string{"/opt/cni/bin/install"}
+	if c.cfg.Installation.Variant != operatorv1.TigeraSecureEnterprise {
+		cniCommand = []string{"calico", "cni", "install"}
+	}
+
 	return corev1.Container{
 		Name:            "install-cni",
 		Image:           c.cniImage,
-		Command:         []string{"/opt/cni/bin/install"},
+		Command:         cniCommand,
 		Env:             cniEnv,
 		SecurityContext: securitycontext.NewRootContext(true),
 		VolumeMounts:    cniVolumeMounts,
@@ -976,9 +981,15 @@ func (c *nodeComponent) flexVolumeContainer() corev1.Container {
 		{MountPath: "/host/driver", Name: "flexvol-driver-host"},
 	}
 
+	var flexvolCommand []string
+	if c.cfg.Installation.Variant != operatorv1.TigeraSecureEnterprise {
+		flexvolCommand = []string{"calico", "flexvol"}
+	}
+
 	return corev1.Container{
 		Name:            "flexvol-driver",
 		Image:           c.flexvolImage,
+		Command:         flexvolCommand,
 		SecurityContext: securitycontext.NewRootContext(true),
 		VolumeMounts:    flexVolumeMounts,
 	}

@@ -247,7 +247,7 @@ var _ = Describe("Node rendering tests", func() {
 				// CNI container uses image override.
 				cniContainer := rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni")
 				rtest.ExpectEnv(cniContainer.Env, "CNI_NET_DIR", "/etc/cni/net.d")
-				Expect(cniContainer.Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalicoCNI.Image, components.ComponentCalicoCNI.Version)))
+				Expect(cniContainer.Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				Expect(*cniContainer.SecurityContext.AllowPrivilegeEscalation).To(BeTrue())
 				Expect(*cniContainer.SecurityContext.Privileged).To(BeTrue())
@@ -266,7 +266,7 @@ var _ = Describe("Node rendering tests", func() {
 
 				// Verify the Flex volume container image.
 				flexvolContainer := rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver")
-				Expect(flexvolContainer.Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentFlexVolume.Image, components.ComponentFlexVolume.Version)))
+				Expect(flexvolContainer.Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				Expect(*flexvolContainer.SecurityContext.AllowPrivilegeEscalation).To(BeTrue())
 				Expect(*flexvolContainer.SecurityContext.Privileged).To(BeTrue())
@@ -497,10 +497,10 @@ var _ = Describe("Node rendering tests", func() {
 				Expect(len(ds.Spec.Template.Spec.InitContainers)).To(Equal(3))
 
 				// CNI container uses image override.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalicoCNI.Image, components.ComponentCalicoCNI.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify the Flex volume container image.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentFlexVolume.Image, components.ComponentFlexVolume.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify the mount-bpffs image and command.
 				mountBpffs := rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "mount-bpffs")
@@ -882,10 +882,10 @@ var _ = Describe("Node rendering tests", func() {
 				Expect(len(ds.Spec.Template.Spec.InitContainers)).To(Equal(3))
 
 				// CNI container uses image override.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalicoCNI.Image, components.ComponentCalicoCNI.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify the Flex volume container image.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentFlexVolume.Image, components.ComponentFlexVolume.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify the mount-bpffs image and command.
 				mountBpffs := rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "mount-bpffs")
@@ -1040,10 +1040,10 @@ var _ = Describe("Node rendering tests", func() {
 				Expect(len(ds.Spec.Template.Spec.InitContainers)).To(Equal(2))
 
 				// CNI container uses image override.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalicoCNI.Image, components.ComponentCalicoCNI.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify the Flex volume container image.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentFlexVolume.Image, components.ComponentFlexVolume.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify env
 				expectedNodeEnv := []corev1.EnvVar{
@@ -1199,7 +1199,7 @@ var _ = Describe("Node rendering tests", func() {
 				Expect(len(ds.Spec.Template.Spec.InitContainers)).To(Equal(1))
 
 				// Verify the Flex volume container image.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentFlexVolume.Image, components.ComponentFlexVolume.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify env
 				expectedNodeEnv := []corev1.EnvVar{
@@ -1448,10 +1448,10 @@ var _ = Describe("Node rendering tests", func() {
 				Expect(len(ds.Spec.Template.Spec.InitContainers)).To(Equal(2))
 
 				// CNI container uses image override.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalicoCNI.Image, components.ComponentCalicoCNI.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify the Flex volume container image.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentFlexVolume.Image, components.ComponentFlexVolume.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify env
 				expectedNodeEnv := []corev1.EnvVar{
@@ -1604,7 +1604,7 @@ var _ = Describe("Node rendering tests", func() {
 				Expect(len(ds.Spec.Template.Spec.InitContainers)).To(Equal(1))
 
 				// Verify the Flex volume container image.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentFlexVolume.Image, components.ComponentFlexVolume.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify env
 				expectedNodeEnv := []corev1.EnvVar{
@@ -3024,10 +3024,10 @@ var _ = Describe("Node rendering tests", func() {
 				Expect(len(ds.Spec.Template.Spec.InitContainers)).To(Equal(2))
 
 				// CNI container uses image override.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalicoCNI.Image, components.ComponentCalicoCNI.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "install-cni").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify the Flex volume container image.
-				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentFlexVolume.Image, components.ComponentFlexVolume.Version)))
+				Expect(rtest.GetContainer(ds.Spec.Template.Spec.InitContainers, "flexvol-driver").Image).To(Equal(fmt.Sprintf("docker.io/%s:%s", components.ComponentCalico.Image, components.ComponentCalico.Version)))
 
 				// Verify env
 				expectedNodeEnv := []corev1.EnvVar{