tigera · caseydavenport · May 28, 2026 · May 28, 2026 · May 28, 2026 · May 28, 2026
@@ -42,6 +42,7 @@ import (
 	"github.com/tigera/operator/pkg/controller/options"
 	"github.com/tigera/operator/pkg/controller/utils"
 	"github.com/tigera/operator/pkg/dns"
+	"github.com/tigera/operator/pkg/enterprise"
 	"github.com/tigera/operator/pkg/imports/admission"
 	"github.com/tigera/operator/pkg/imports/crds"
 	"github.com/tigera/operator/pkg/render"
@@ -521,6 +522,7 @@ If a value other than 'all' is specified, the first CRD with a prefix of the spe
 		ElasticExternal:     discovery.UseExternalElastic(bootConfig),
 		UseV3CRDs:           v3CRDs,
 		APIDiscovery:        apiDiscovery,
+		Extensions:          enterprise.New(),
 	}
 
 	// Before we start any controllers, make sure our options are valid.

@@ -49,6 +49,7 @@ import (
 	"github.com/tigera/operator/pkg/controller/utils/imageset"
 	"github.com/tigera/operator/pkg/ctrlruntime"
 	"github.com/tigera/operator/pkg/dns"
+	"github.com/tigera/operator/pkg/extensions"
 	"github.com/tigera/operator/pkg/render"
 	rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement"
 	"github.com/tigera/operator/pkg/render/common/authentication"
@@ -474,7 +475,14 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 	}
 
 	// Create a component handler to manage the rendered component.
-	handler := utils.NewComponentHandler(log, r.client, r.scheme, instance)
+	handler := utils.NewComponentHandler(
+		log,
+		r.client,
+		r.scheme,
+		instance,
+		utils.WithRenderContext(extensions.RenderContext{Installation: installationSpec}),
+		utils.WithExtensions(r.opts.Extensions),
+	)
 
 	// Render the desired objects from the CRD and create or update them.
 	reqLogger.V(3).Info("rendering components")
@@ -497,6 +505,7 @@ func (r *ReconcileAPIServer) Reconcile(ctx context.Context, request reconcile.Re
 		KubernetesVersion:            r.opts.KubernetesVersion,
 		ClusterDomain:                r.opts.ClusterDomain,
 		RequiresAggregationServer:    !r.opts.UseV3CRDs,
+		RequiresQueryServer:          installationSpec.Variant.IsEnterprise(),
 		QueryServerTLSKeyPairCertificateManagementOnly: queryServerTLSSecretCertificateManagementOnly,
 	}
 

@@ -170,6 +170,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -229,6 +230,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -282,6 +284,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 					ClusterDomain:       dns.DefaultClusterDomain,
@@ -307,6 +310,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -329,6 +333,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -353,6 +358,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -375,6 +381,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      notReady,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -400,6 +407,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -427,6 +435,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -452,6 +461,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      notReady,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -478,6 +488,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: false,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -520,6 +531,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -552,6 +564,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -604,6 +617,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -673,6 +687,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 				},
@@ -777,6 +792,7 @@ var _ = Describe("apiserver controller tests", func() {
 					tierWatchReady:      ready,
 					migrationWatchReady: &utils.ReadyFlag{},
 					opts: options.ControllerOptions{
+						Extensions:          testExtensions,
 						EnterpriseCRDExists: true,
 						DetectedProvider:    operatorv1.ProviderNone,
 					},
@@ -806,6 +822,7 @@ var _ = Describe("apiserver controller tests", func() {
 					tierWatchReady:      ready,
 					migrationWatchReady: &utils.ReadyFlag{},
 					opts: options.ControllerOptions{
+						Extensions:          testExtensions,
 						EnterpriseCRDExists: true,
 						DetectedProvider:    operatorv1.ProviderNone,
 					},
@@ -836,6 +853,7 @@ var _ = Describe("apiserver controller tests", func() {
 					tierWatchReady:      ready,
 					migrationWatchReady: &utils.ReadyFlag{},
 					opts: options.ControllerOptions{
+						Extensions:          testExtensions,
 						EnterpriseCRDExists: true,
 						DetectedProvider:    operatorv1.ProviderNone,
 						MultiTenant:         true,
@@ -883,6 +901,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 					UseV3CRDs:           true,
@@ -927,6 +946,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: false,
 					DetectedProvider:    operatorv1.ProviderNone,
 					UseV3CRDs:           true,
@@ -955,6 +975,7 @@ var _ = Describe("apiserver controller tests", func() {
 				tierWatchReady:      ready,
 				migrationWatchReady: &utils.ReadyFlag{},
 				opts: options.ControllerOptions{
+					Extensions:          testExtensions,
 					EnterpriseCRDExists: true,
 					DetectedProvider:    operatorv1.ProviderNone,
 					UseV3CRDs:           false,

@@ -24,8 +24,17 @@ import (
 
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	"github.com/tigera/operator/pkg/enterprise"
+	"github.com/tigera/operator/pkg/extensions"
 )
 
+// testExtensions is the enterprise extension Set the API server controller tests
+// reconcile with, so the componentHandler applies the API server modifier (query
+// server, audit logging, Enterprise RBAC). Reconcilers built in these tests put
+// it on their options, mirroring how main wires it in production.
+var testExtensions *extensions.Set = enterprise.New()
+
 func TestStatus(t *testing.T) {
 	logf.SetLogger(zap.New(zap.WriteTo(ginkgo.GinkgoWriter), zap.UseDevMode(true), zap.Level(uzap.NewAtomicLevelAt(uzap.DebugLevel))))
 	gomega.RegisterFailHandler(ginkgo.Fail)

@@ -49,6 +49,7 @@ import (
 	"github.com/tigera/operator/pkg/controller/utils/imageset"
 	"github.com/tigera/operator/pkg/ctrlruntime"
 	"github.com/tigera/operator/pkg/dns"
+	"github.com/tigera/operator/pkg/extensions"
 	"github.com/tigera/operator/pkg/render"
 	"github.com/tigera/operator/pkg/render/common/networkpolicy"
 	"github.com/tigera/operator/pkg/render/goldmane"
@@ -173,9 +174,9 @@ func newReconciler(
 		scheme:                schema,
 		provider:              p,
 		status:                statusMgr,
-		clusterDomain:         opts.ClusterDomain,
 		tierWatchReady:        tierWatchReady,
 		clusterInfoWatchReady: clusterInfoWatchReady,
+		opts:                  opts,
 	}
 	c.status.Run(opts.ShutdownContext)
 	return c
@@ -190,11 +191,11 @@ type ReconcileConnection struct {
 	scheme                     *runtime.Scheme
 	provider                   operatorv1.Provider
 	status                     status.StatusManager
-	clusterDomain              string
 	tierWatchReady             *utils.ReadyFlag
 	clusterInfoWatchReady      *utils.ReadyFlag
 	resolvedPodProxies         []*httpproxy.Config
 	lastAvailabilityTransition metav1.Time
+	opts                       options.ControllerOptions
 }
 
 // Reconcile reads that state of the cluster for a ManagementClusterConnection object and makes changes based on the
@@ -283,7 +284,7 @@ func (r *ReconcileConnection) Reconcile(ctx context.Context, request reconcile.R
 
 	log.V(2).Info("Loaded ManagementClusterConnection config", "config", managementClusterConnection)
 
-	certificateManager, err := certificatemanager.Create(r.cli, installationSpec, r.clusterDomain, common.OperatorNamespace(), certificatemanager.WithLogger(reqLogger))
+	certificateManager, err := certificatemanager.Create(r.cli, installationSpec, r.opts.ClusterDomain, common.OperatorNamespace(), certificatemanager.WithLogger(reqLogger))
 	if err != nil {
 		r.status.SetDegraded(operatorv1.ResourceCreateError, "Unable to create the Tigera CA", err, reqLogger)
 		return reconcile.Result{}, err
@@ -307,7 +308,7 @@ func (r *ReconcileConnection) Reconcile(ctx context.Context, request reconcile.R
 
 	var guardianKeyPair certificatemanagement.KeyPairInterface
 	if !variant.IsEnterprise() {
-		guardianCertificateNames := dns.GetServiceDNSNames("guardian", render.GuardianNamespace, r.clusterDomain)
+		guardianCertificateNames := dns.GetServiceDNSNames("guardian", render.GuardianNamespace, r.opts.ClusterDomain)
 		guardianCertificateNames = append(guardianCertificateNames, "localhost", "127.0.0.1")
 		guardianKeyPair, err = certificateManager.GetOrCreateKeyPair(r.cli, render.GuardianKeyPairSecret, whisker.WhiskerNamespace, guardianCertificateNames)
 		if err != nil {
@@ -443,7 +444,14 @@ func (r *ReconcileConnection) Reconcile(ctx context.Context, request reconcile.R
 		return reconcile.Result{}, err
 	}
 
-	ch := utils.NewComponentHandler(log, r.cli, r.scheme, managementClusterConnection)
+	ch := utils.NewComponentHandler(
+		log,
+		r.cli,
+		r.scheme,
+		managementClusterConnection,
+		utils.WithRenderContext(extensions.RenderContext{Installation: installationSpec}),
+		utils.WithExtensions(r.opts.Extensions),
+	)
 	guardianCfg := &render.GuardianConfiguration{
 		URL:                         managementClusterConnection.Spec.ManagementClusterAddr,
 		PodProxies:                  r.resolvedPodProxies,

@@ -27,6 +27,7 @@ import (
 func TestStatus(t *testing.T) {
 	logf.SetLogger(zap.New(zap.WriteTo(ginkgo.GinkgoWriter)))
 	gomega.RegisterFailHandler(ginkgo.Fail)
+
 	suiteConfig, reporterConfig := ginkgo.GinkgoConfiguration()
 	reporterConfig.JUnitReport = "../../../report/ut/clusterconnection_controller_suite.xml"
 	ginkgo.RunSpecs(t, "pkg/controller/Management Cluster Connection Suite", suiteConfig, reporterConfig)

@@ -25,6 +25,7 @@ import (
 	operatorv1 "github.com/tigera/operator/api/v1"
 	"github.com/tigera/operator/pkg/controller/options"
 	"github.com/tigera/operator/pkg/controller/status"
+	"github.com/tigera/operator/pkg/enterprise"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -40,6 +41,7 @@ func NewReconcilerWithShims(
 ) reconcile.Reconciler {
 	opts := options.ControllerOptions{
 		ShutdownContext: context.Background(),
+		Extensions:      enterprise.New(),
 	}
 
 	return newReconciler(cli, schema, status, provider, tierWatchReady, clusterInfoWatchReady, opts)

@@ -174,7 +174,7 @@ type ReconcileGatewayAPI struct {
 	status              status.StatusManager
 	clusterDomain       string
 	multiTenant         bool
-	newComponentHandler func(log logr.Logger, client client.Client, scheme *runtime.Scheme, cr metav1.Object) utils.ComponentHandler
+	newComponentHandler func(log logr.Logger, client client.Client, scheme *runtime.Scheme, cr metav1.Object, opts ...utils.ComponentHandlerOption) utils.ComponentHandler
 	watchEnvoyProxy     func(namespacedName operatorv1.NamespacedName) error
 	watchEnvoyGateway   func(namespacedName operatorv1.NamespacedName) error
 	watchGateways       func() error

@@ -779,7 +779,7 @@ var _ = Describe("Gateway API controller tests", func() {
 
 var fakeComponentHandlers []*fakeComponentHandler
 
-func FakeComponentHandler(log logr.Logger, client client.Client, scheme *runtime.Scheme, cr metav1.Object) utils.ComponentHandler {
+func FakeComponentHandler(log logr.Logger, client client.Client, scheme *runtime.Scheme, cr metav1.Object, opts ...utils.ComponentHandlerOption) utils.ComponentHandler {
 	h := &fakeComponentHandler{
 		client: client,
 		scheme: scheme,