tigera · caseydavenport · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
@@ -1,4 +1,4 @@
-// Copyright (c) 2022-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2022-2026 Tigera, Inc. All rights reserved.
 /*
 
 Licensed under the Apache License, Version 2.0 (the "License");
@@ -49,7 +49,7 @@ type Image struct {
 // ImageSet is used to specify image digests for the images that the operator deploys.
 // The name of the ImageSet is expected to be in the format `<variant>-<release>`.
 // The `variant` used is `enterprise` if the InstallationSpec Variant is
-// `TigeraSecureEnterprise` otherwise it is `calico`.
+// `CalicoEnterprise` or `TigeraSecureEnterprise`, otherwise it is `calico`.
 // The `release` must match the version of the variant that the operator is built to deploy,
 // this version can be obtained by passing the `--version` flag to the operator binary.
 type ImageSet struct {

@@ -47,10 +47,11 @@ type Installation struct {
 
 // InstallationSpec defines configuration for a Calico or Calico Enterprise installation.
 type InstallationSpec struct {
-	// Variant is the product to install - one of Calico or TigeraSecureEnterprise
+	// Variant is the product to install - one of Calico or CalicoEnterprise.
+	// TigeraSecureEnterprise is also accepted as a deprecated alias for CalicoEnterprise.
 	// Default: Calico
 	// +optional
-	// +kubebuilder:validation:Enum=Calico;TigeraSecureEnterprise
+	// +kubebuilder:validation:Enum=Calico;CalicoEnterprise;TigeraSecureEnterprise
 	Variant ProductVariant `json:"variant,omitempty"`
 
 	// Registry is the default Docker registry used for component Docker images.
@@ -460,14 +461,23 @@ func (p Provider) IsKind() bool {
 
 // ProductVariant represents the variant of the product.
 //
-// One of: Calico, TigeraSecureEnterprise
+// One of: Calico, CalicoEnterprise.
+// TigeraSecureEnterprise is a deprecated alias for CalicoEnterprise.
 type ProductVariant string
 
 var (
-	Calico                 ProductVariant = "Calico"
+	Calico           ProductVariant = "Calico"
+	CalicoEnterprise ProductVariant = "CalicoEnterprise"
+
+	// Deprecated: Use CalicoEnterprise instead.
 	TigeraSecureEnterprise ProductVariant = "TigeraSecureEnterprise"
 )
 
+// IsEnterprise returns true if the variant is an enterprise variant (either CalicoEnterprise or TigeraSecureEnterprise).
+func (v ProductVariant) IsEnterprise() bool {
+	return v == CalicoEnterprise || v == TigeraSecureEnterprise
+}
+
 // NonPrivilegedType specifies whether Calico runs as permissioned or not
 //
 // One of: Enabled, Disabled
@@ -979,8 +989,9 @@ type CNISpec struct {
 
 // InstallationStatus defines the observed state of the Calico or Calico Enterprise installation.
 type InstallationStatus struct {
-	// Variant is the most recently observed installed variant - one of Calico or TigeraSecureEnterprise
-	// +kubebuilder:validation:Enum=Calico;TigeraSecureEnterprise
+	// Variant is the most recently observed installed variant - one of Calico or CalicoEnterprise.
+	// TigeraSecureEnterprise is a deprecated alias for CalicoEnterprise.
+	// +kubebuilder:validation:Enum=Calico;CalicoEnterprise;TigeraSecureEnterprise
 	Variant ProductVariant `json:"variant,omitempty"`
 
 	// MTU is the most recently observed value for pod network MTU. This may be an explicitly

@@ -178,7 +178,7 @@ If a value other than 'all' is specified, the first CRD with a prefix of the spe
 	}
 
 	if printEnterpriseCRDs != "" {
-		if err := showCRDs(operatortigeraiov1.TigeraSecureEnterprise, printEnterpriseCRDs); err != nil {
+		if err := showCRDs(operatortigeraiov1.CalicoEnterprise, printEnterpriseCRDs); err != nil {
 			fmt.Println(err)
 			os.Exit(1)
 		}

@@ -113,7 +113,7 @@ Then, modify the installation CR (e.g., with `kubectl edit installations`) to in
 
 ```
 spec:
-  variant: TigeraSecureEnterprise
+  variant: CalicoEnterprise
   imagePullSecrets:
   - name: tigera-pull-secret
 ```

@@ -27,7 +27,7 @@ def main():
     # This is still a manual process at the moment.
     # [APIServer] --> [ClusterConnection]
     # [APIServer] -> [Installation]
-    graph.add_edge(Edge('apiserver', 'clusterconnection', label='TSEE', style='dashed'))
+    graph.add_edge(Edge('apiserver', 'clusterconnection', label='Enterprise', style='dashed'))
     graph.add_edge(Edge('apiserver', 'installation'))
     # [ApplicationLayer] -> [Installation]
     graph.add_edge(Edge('applicationlayer', 'installation'))

@@ -104,7 +104,7 @@ func Add(mgr manager.Manager, opts options.ControllerOptions) error {
 
 	if opts.EnterpriseCRDExists {
 		// Watch for changes to ApplicationLayer
-		err = c.WatchObject(&operatorv1.ApplicationLayer{ObjectMeta: metav1.ObjectMeta{Name: utils.DefaultTSEEInstanceKey.Name}}, &handler.EnqueueRequestForObject{})
+		err = c.WatchObject(&operatorv1.ApplicationLayer{ObjectMeta: metav1.ObjectMeta{Name: utils.DefaultEnterpriseInstanceKey.Name}}, &handler.EnqueueRequestForObject{})
 		if err != nil {
 			return fmt.Errorf("apiserver-controller failed to watch ApplicationLayer resource: %v", err)
 		}
@@ -337,7 +337,7 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 	var keyValidatorConfig authentication.KeyValidatorConfig
 	includeV3NetworkPolicy := false
 
-	if installationSpec.Variant == operatorv1.TigeraSecureEnterprise {
+	if installationSpec.Variant.IsEnterprise() {
 		trustedBundle, err = certificateManager.CreateNamedTrustedBundleFromSecrets(render.APIServerResourceName, r.client,
 			common.OperatorNamespace(), false)
 		if err != nil {

@@ -93,12 +93,12 @@ var _ = Describe("apiserver controller tests", func() {
 				Generation: 2,
 			},
 			Status: operatorv1.InstallationStatus{
-				Variant:  operatorv1.TigeraSecureEnterprise,
+				Variant:  operatorv1.CalicoEnterprise,
 				Computed: &operatorv1.InstallationSpec{},
 			},
 			Spec: operatorv1.InstallationSpec{
 				ControlPlaneReplicas: &replicas,
-				Variant:              operatorv1.TigeraSecureEnterprise,
+				Variant:              operatorv1.CalicoEnterprise,
 				Registry:             "some.registry.org/",
 			},
 		}
@@ -468,7 +468,7 @@ var _ = Describe("apiserver controller tests", func() {
 
 		It("should create the cert secrets in the correct namespace when migrating from calico to enterprise", func() {
 			Expect(netv1.SchemeBuilder.AddToScheme(scheme)).ShouldNot(HaveOccurred())
-			installation.Spec.Variant = operatorv1.TigeraSecureEnterprise
+			installation.Spec.Variant = operatorv1.CalicoEnterprise
 			installation.Status.Variant = operatorv1.Calico
 			Expect(cli.Create(ctx, installation)).To(BeNil())
 			Expect(cli.Delete(ctx, &v3.Tier{ObjectMeta: metav1.ObjectMeta{Name: "calico-system"}})).NotTo(HaveOccurred())

@@ -229,8 +229,8 @@ func (r *ReconcileApplicationLayer) Reconcile(ctx context.Context, request recon
 		return reconcile.Result{}, err
 	}
 
-	if variant != operatorv1.TigeraSecureEnterprise {
-		r.status.SetDegraded(operatorv1.ResourceNotReady, fmt.Sprintf("Waiting for network to be %s", operatorv1.TigeraSecureEnterprise), nil, reqLogger)
+	if !variant.IsEnterprise() {
+		r.status.SetDegraded(operatorv1.ResourceNotReady, "Waiting for network to be an enterprise variant", nil, reqLogger)
 		return reconcile.Result{}, nil
 	}
 
@@ -447,7 +447,7 @@ func (r *ReconcileApplicationLayer) getWAFRulesetConfig(ctx context.Context) (*c
 // getApplicationLayer returns the default ApplicationLayer instance.
 func getApplicationLayer(ctx context.Context, cli client.Client) (*operatorv1.ApplicationLayer, error) {
 	instance := &operatorv1.ApplicationLayer{}
-	err := cli.Get(ctx, utils.DefaultTSEEInstanceKey, instance)
+	err := cli.Get(ctx, utils.DefaultEnterpriseInstanceKey, instance)
 	if err != nil {
 		return nil, err
 	}

@@ -69,11 +69,11 @@ var _ = Describe("Application layer controller tests", func() {
 			installation = &operatorv1.Installation{
 				ObjectMeta: metav1.ObjectMeta{Name: "default"},
 				Spec: operatorv1.InstallationSpec{
-					Variant:  operatorv1.TigeraSecureEnterprise,
+					Variant:  operatorv1.CalicoEnterprise,
 					Registry: "some.registry.org/",
 				},
 				Status: operatorv1.InstallationStatus{
-					Variant: operatorv1.TigeraSecureEnterprise,
+					Variant: operatorv1.CalicoEnterprise,
 					Computed: &operatorv1.InstallationSpec{
 						Registry: "my-reg",
 						// The test is provider agnostic.

@@ -239,8 +239,8 @@ func (r *ReconcileAuthentication) Reconcile(ctx context.Context, request reconci
 		r.status.SetDegraded(oprv1.ResourceReadError, "Error querying installation", err, reqLogger)
 		return reconcile.Result{}, err
 	}
-	if variant != oprv1.TigeraSecureEnterprise {
-		r.status.SetDegraded(oprv1.ResourceNotReady, fmt.Sprintf("Waiting for network to be %s", oprv1.TigeraSecureEnterprise), nil, reqLogger)
+	if !variant.IsEnterprise() {
+		r.status.SetDegraded(oprv1.ResourceNotReady, "Waiting for network to be an enterprise variant", nil, reqLogger)
 		return reconcile.Result{}, nil
 	}
 

@@ -103,12 +103,12 @@ var _ = Describe("authentication controller tests", func() {
 				Name: "default",
 			},
 			Status: operatorv1.InstallationStatus{
-				Variant:  operatorv1.TigeraSecureEnterprise,
+				Variant:  operatorv1.CalicoEnterprise,
 				Computed: &operatorv1.InstallationSpec{},
 			},
 			Spec: operatorv1.InstallationSpec{
 				ControlPlaneReplicas: &replicas,
-				Variant:              operatorv1.TigeraSecureEnterprise,
+				Variant:              operatorv1.CalicoEnterprise,
 				Registry:             "some.registry.org/",
 			},
 		}

@@ -181,7 +181,7 @@ func Create(cli client.Client, installation *operatorv1.InstallationSpec, cluste
 			return nil, err
 		}
 		// We instantiate csrImage regardless of whether certificate management is enabled; it may still be used.
-		if installation.Variant == operatorv1.TigeraSecureEnterprise {
+		if installation.Variant.IsEnterprise() {
 			csrImage, err = components.GetReference(
 				components.ComponentTigeraCSRInitContainer,
 				installation.Registry,

@@ -245,7 +245,7 @@ func (r *ReconcileConnection) Reconcile(ctx context.Context, request reconcile.R
 	}
 
 	// Verify the cluster doesn't also have the ManagementCluster CRD installed.
-	if variant == operatorv1.TigeraSecureEnterprise {
+	if variant.IsEnterprise() {
 		managementCluster, err := utils.GetManagementCluster(ctx, r.cli)
 		if err != nil {
 			r.status.SetDegraded(operatorv1.ResourceReadError, "Error reading ManagementCluster", err, reqLogger)
@@ -306,7 +306,7 @@ func (r *ReconcileConnection) Reconcile(ctx context.Context, request reconcile.R
 	}
 
 	var guardianKeyPair certificatemanagement.KeyPairInterface
-	if variant != operatorv1.TigeraSecureEnterprise {
+	if !variant.IsEnterprise() {
 		guardianCertificateNames := dns.GetServiceDNSNames("guardian", render.GuardianNamespace, r.clusterDomain)
 		guardianCertificateNames = append(guardianCertificateNames, "localhost", "127.0.0.1")
 		guardianKeyPair, err = certificateManager.GetOrCreateKeyPair(r.cli, render.GuardianKeyPairSecret, whisker.WhiskerNamespace, guardianCertificateNames)
@@ -409,7 +409,7 @@ func (r *ReconcileConnection) Reconcile(ctx context.Context, request reconcile.R
 		r.status.SetDegraded(operatorv1.ResourceReadError, "Error querying clusterInformation", err, reqLogger)
 		return reconcile.Result{}, err
 	}
-	if variant == operatorv1.TigeraSecureEnterprise {
+	if variant.IsEnterprise() {
 		managedClusterVersion = clusterInformation.Spec.CNXVersion
 	} else {
 		managedClusterVersion = clusterInformation.Spec.CalicoVersion
@@ -422,7 +422,7 @@ func (r *ReconcileConnection) Reconcile(ctx context.Context, request reconcile.R
 	}
 
 	var includeEgressNetworkPolicy bool
-	if variant == operatorv1.TigeraSecureEnterprise {
+	if variant.IsEnterprise() {
 		// Ensure the license can support enterprise policy, before rendering any network policies within it.
 		if license, err := utils.FetchLicenseKey(ctx, r.cli); err == nil {
 			if utils.IsFeatureActive(license, common.EgressAccessControlFeature) {
@@ -522,7 +522,7 @@ func fillDefaults(cr *operatorv1.ManagementClusterConnection, variant operatorv1
 	if cr.Spec.TLS.CA == "" {
 		cr.Spec.TLS.CA = operatorv1.CATypeTigera
 	}
-	if variant == operatorv1.TigeraSecureEnterprise && cr.Spec.Impersonation == nil {
+	if variant.IsEnterprise() && cr.Spec.Impersonation == nil {
 		cr.Spec.Impersonation = &operatorv1.Impersonation{
 			Users:           []string{},
 			Groups:          []string{},

@@ -151,12 +151,12 @@ var _ = Describe("ManagementClusterConnection controller tests", func() {
 
 		installation = &operatorv1.Installation{
 			Spec: operatorv1.InstallationSpec{
-				Variant:  operatorv1.TigeraSecureEnterprise,
+				Variant:  operatorv1.CalicoEnterprise,
 				Registry: "some.registry.org/",
 			},
 			ObjectMeta: metav1.ObjectMeta{Name: "default"},
 			Status: operatorv1.InstallationStatus{
-				Variant: operatorv1.TigeraSecureEnterprise,
+				Variant: operatorv1.CalicoEnterprise,
 				Computed: &operatorv1.InstallationSpec{
 					Registry:           "my-reg",
 					KubernetesProvider: operatorv1.ProviderNone,

@@ -109,14 +109,14 @@ var _ = Describe("Compliance controller tests", func() {
 		installation = &operatorv1.Installation{
 			ObjectMeta: metav1.ObjectMeta{Name: "default"},
 			Spec: operatorv1.InstallationSpec{
-				Variant:  operatorv1.TigeraSecureEnterprise,
+				Variant:  operatorv1.CalicoEnterprise,
 				Registry: "some.registry.org/",
 				ImagePullSecrets: []corev1.LocalObjectReference{{
 					Name: "tigera-pull-secret",
 				}},
 			},
 			Status: operatorv1.InstallationStatus{
-				Variant: operatorv1.TigeraSecureEnterprise,
+				Variant: operatorv1.CalicoEnterprise,
 				Computed: &operatorv1.InstallationSpec{
 					Registry: "my-reg",
 					// The test is provider agnostic.
@@ -320,7 +320,7 @@ var _ = Describe("Compliance controller tests", func() {
 		Expect(c.Create(
 			ctx,
 			&operatorv1.ManagementClusterConnection{
-				ObjectMeta: metav1.ObjectMeta{Name: utils.DefaultTSEEInstanceKey.Name},
+				ObjectMeta: metav1.ObjectMeta{Name: utils.DefaultEnterpriseInstanceKey.Name},
 			})).NotTo(HaveOccurred())
 
 		By("reconciling after the cluster type changes")

@@ -196,7 +196,7 @@ func (r *reconcileCSR) Reconcile(ctx context.Context, request reconcile.Request)
 	needsCSRRole := instance.Spec.CertificateManagement != nil
 	if !needsCSRRole && r.enterpriseCRDExists {
 		monitorCR := &operatorv1.Monitor{}
-		if err := r.client.Get(ctx, utils.DefaultTSEEInstanceKey, monitorCR); err != nil {
+		if err := r.client.Get(ctx, utils.DefaultEnterpriseInstanceKey, monitorCR); err != nil {
 			if apierrors.IsNotFound(err) {
 				return reconcile.Result{}, nil
 			}

@@ -83,7 +83,7 @@ var _ = Describe("CSR controller tests", func() {
 		installation = &operatorv1.Installation{
 			ObjectMeta: metav1.ObjectMeta{Name: "default"},
 			Spec: operatorv1.InstallationSpec{
-				Variant:  operatorv1.TigeraSecureEnterprise,
+				Variant:  operatorv1.CalicoEnterprise,
 				Registry: "some.registry.org/",
 			},
 		}

@@ -260,8 +260,8 @@ func (r *ReconcileEgressGateway) Reconcile(ctx context.Context, request reconcil
 		return reconcile.Result{}, err
 	}
 
-	if variant != operatorv1.TigeraSecureEnterprise {
-		degradedMsg := fmt.Sprintf("Waiting for network to be %s", operatorv1.TigeraSecureEnterprise)
+	if !variant.IsEnterprise() {
+		degradedMsg := "Waiting for network to be an enterprise variant"
 		reqLogger.Error(err, degradedMsg)
 		r.status.SetDegraded(operatorv1.ResourceNotReady, degradedMsg, nil, reqLogger)
 		for _, egw := range egwsToReconcile {

@@ -74,12 +74,12 @@ var _ = Describe("Egress Gateway controller tests", func() {
 			installation = &operatorv1.Installation{
 				ObjectMeta: metav1.ObjectMeta{Name: "default"},
 				Spec: operatorv1.InstallationSpec{
-					Variant:            operatorv1.TigeraSecureEnterprise,
+					Variant:            operatorv1.CalicoEnterprise,
 					KubernetesProvider: operatorv1.ProviderNone,
 					Registry:           "some.registry.org/",
 				},
 				Status: operatorv1.InstallationStatus{
-					Variant: operatorv1.TigeraSecureEnterprise,
+					Variant: operatorv1.CalicoEnterprise,
 					Computed: &operatorv1.InstallationSpec{
 						Registry: "my-reg",
 					},

@@ -440,13 +440,13 @@ func GetGatewayAPI(ctx context.Context, client client.Client) (*operatorv1.Gatew
 		}
 
 		// Default resource doesn't exist. Check for the legacy (enterprise only) CR.
-		err = client.Get(ctx, utils.DefaultTSEEInstanceKey, resource)
+		err = client.Get(ctx, utils.DefaultEnterpriseInstanceKey, resource)
 		if err != nil {
 			return nil, "failed to get GatewayAPI 'tigera-secure'", err
 		}
 	} else {
 		// Assert there is no legacy "tigera-secure" resource present.
-		err = client.Get(ctx, utils.DefaultTSEEInstanceKey, resource)
+		err = client.Get(ctx, utils.DefaultEnterpriseInstanceKey, resource)
 		if err == nil {
 			return nil,
 				"Duplicate configuration detected",

@@ -70,11 +70,11 @@ var _ = Describe("Gateway API controller tests", func() {
 		installation = &operatorv1.Installation{
 			ObjectMeta: metav1.ObjectMeta{Name: "default"},
 			Spec: operatorv1.InstallationSpec{
-				Variant:  operatorv1.TigeraSecureEnterprise,
+				Variant:  operatorv1.CalicoEnterprise,
 				Registry: "some.registry.org/",
 			},
 			Status: operatorv1.InstallationStatus{
-				Variant: operatorv1.TigeraSecureEnterprise,
+				Variant: operatorv1.CalicoEnterprise,
 				Computed: &operatorv1.InstallationSpec{
 					Registry: "my-reg",
 					// The test is provider agnostic.
@@ -155,7 +155,7 @@ var _ = Describe("Gateway API controller tests", func() {
 
 				if gwapi.Spec.CRDManagement == nil {
 					By("checking that CRDManagement field has been updated to PreferExisting")
-					Expect(c.Get(ctx, utils.DefaultTSEEInstanceKey, gwapi)).NotTo(HaveOccurred())
+					Expect(c.Get(ctx, utils.DefaultEnterpriseInstanceKey, gwapi)).NotTo(HaveOccurred())
 					Expect(gwapi.Spec.CRDManagement).NotTo(BeNil())
 					Expect(*gwapi.Spec.CRDManagement).To(Equal(operatorv1.CRDManagementPreferExisting))
 				}
@@ -611,7 +611,7 @@ var _ = Describe("Gateway API controller tests", func() {
 		Expect(err).NotTo(HaveOccurred())
 
 		By("re-reading the GatewayAPI")
-		err = c.Get(ctx, utils.DefaultTSEEInstanceKey, gwapi)
+		err = c.Get(ctx, utils.DefaultEnterpriseInstanceKey, gwapi)
 		Expect(err).NotTo(HaveOccurred())
 
 		By("checking default GatewayClasses")