Add CALICO_API_GROUP env var injection via apigroup package

Introduce pkg/apigroup to track the active CRD API group and inject
CALICO_API_GROUP into all workload containers via the component handler.
This tells components whether to use projectcalico.org/v3 or the legacy
crd.projectcalico.org/v1 API group.

Author: caseydavenport

cmd/main.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/tigera/operator/internal/controller"
 	"github.com/tigera/operator/pkg/active"
+	"github.com/tigera/operator/pkg/apigroup"
 	"github.com/tigera/operator/pkg/apis"
 	"github.com/tigera/operator/pkg/awssgsetup"
 	"github.com/tigera/operator/pkg/common"
@@ -217,6 +218,11 @@ If a value other than 'all' is specified, the first CRD with a prefix of the spe
 		os.Exit(1)
 	}
 
+	// Tell the component handler which API group to inject into workloads.
+	if v3CRDs {
+		apigroup.Set(apigroup.V3)
+	}
+
 	// Add the Calico API to the scheme, now that we know which backing CRD version to use.
 	utilruntime.Must(apis.AddToScheme(scheme, v3CRDs))
 

pkg/apigroup/apigroup.go

@@ -0,0 +1,76 @@
+// Copyright (c) 2026 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package apigroup tracks which Calico API group the operator should configure
+// on the workloads it manages. The value is set once at startup (or when a
+// datastore migration completes) and read by the component handler to inject
+// the CALICO_API_GROUP env var into all workload containers.
+package apigroup
+
+import (
+	"sync"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+// APIGroup identifies which Calico CRD API group to use.
+type APIGroup int
+
+const (
+	// Unknown means the API group hasn't been determined yet.
+	Unknown APIGroup = iota
+	// V1 uses crd.projectcalico.org/v1 (legacy, via aggregated API server).
+	V1
+	// V3 uses projectcalico.org/v3 (native CRDs, no API server).
+	V3
+)
+
+const (
+	envVarName = "CALICO_API_GROUP"
+	v3Value    = "projectcalico.org/v3"
+)
+
+var (
+	mu      sync.RWMutex
+	current APIGroup
+	envVars []corev1.EnvVar
+)
+
+// Set records the active API group. If V3, subsequent calls to EnvVars will
+// return a CALICO_API_GROUP env var for injection into workload containers.
+func Set(g APIGroup) {
+	mu.Lock()
+	defer mu.Unlock()
+	current = g
+	if g == V3 {
+		envVars = []corev1.EnvVar{{Name: envVarName, Value: v3Value}}
+	} else {
+		envVars = nil
+	}
+}
+
+// Get returns the current API group.
+func Get() APIGroup {
+	mu.RLock()
+	defer mu.RUnlock()
+	return current
+}
+
+// EnvVars returns the env vars to inject into workload containers, or nil if
+// no explicit API group has been configured.
+func EnvVars() []corev1.EnvVar {
+	mu.RLock()
+	defer mu.RUnlock()
+	return envVars
+}

pkg/apigroup/apigroup_test.go

@@ -0,0 +1,67 @@
+// Copyright (c) 2026 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package apigroup
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestSetAndGet(t *testing.T) {
+	tests := []struct {
+		name        string
+		set         APIGroup
+		wantGet     APIGroup
+		wantEnvVars []corev1.EnvVar
+	}{
+		{
+			name:        "default state is Unknown with nil env vars",
+			set:         Unknown,
+			wantGet:     Unknown,
+			wantEnvVars: nil,
+		},
+		{
+			name:    "V3 returns CALICO_API_GROUP env var",
+			set:     V3,
+			wantGet: V3,
+			wantEnvVars: []corev1.EnvVar{
+				{Name: "CALICO_API_GROUP", Value: "projectcalico.org/v3"},
+			},
+		},
+		{
+			name:        "V1 returns nil env vars",
+			set:         V1,
+			wantGet:     V1,
+			wantEnvVars: nil,
+		},
+		{
+			name:        "setting back to Unknown clears env vars",
+			set:         Unknown,
+			wantGet:     Unknown,
+			wantEnvVars: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			Set(tt.set)
+			g.Expect(Get()).To(Equal(tt.wantGet))
+			g.Expect(EnvVars()).To(Equal(tt.wantEnvVars))
+		})
+	}
+}

pkg/controller/utils/component.go

@@ -42,6 +42,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	v3 "github.com/tigera/api/pkg/apis/projectcalico/v3"
+	"github.com/tigera/operator/pkg/apigroup"
 	"github.com/tigera/operator/pkg/common"
 	"github.com/tigera/operator/pkg/controller/status"
 	"github.com/tigera/operator/pkg/render"
@@ -75,19 +76,21 @@ type ComponentHandler interface {
 // this is useful for CRD management so that they are not removed automatically.
 func NewComponentHandler(log logr.Logger, cli client.Client, scheme *runtime.Scheme, cr metav1.Object) ComponentHandler {
 	return &componentHandler{
-		client: cli,
-		scheme: scheme,
-		cr:     cr,
-		log:    log,
+		client:       cli,
+		scheme:       scheme,
+		cr:           cr,
+		log:          log,
+		apiGroupEnvs: apigroup.EnvVars(),
 	}
 }
 
 type componentHandler struct {
-	client     client.Client
-	scheme     *runtime.Scheme
-	cr         metav1.Object
-	log        logr.Logger
-	createOnly bool
+	client       client.Client
+	scheme       *runtime.Scheme
+	cr           metav1.Object
+	log          logr.Logger
+	createOnly   bool
+	apiGroupEnvs []v1.EnvVar
 }
 
 func (c *componentHandler) SetCreateOnly() {
@@ -444,6 +447,12 @@ func (c *componentHandler) CreateOrUpdateOrDelete(ctx context.Context, component
 	objsToCreate, objsToDelete := component.Objects()
 	osType := component.SupportedOSType()
 
+	if len(c.apiGroupEnvs) > 0 {
+		for _, obj := range objsToCreate {
+			c.injectAPIGroupEnv(obj)
+		}
+	}
+
 	var alreadyExistsErr error = nil
 
 	for _, obj := range objsToCreate {
@@ -1129,3 +1138,50 @@ func (r *ReadyFlag) MarkAsReady() {
 	defer r.mu.Unlock()
 	r.isReady = true
 }
+
+// injectAPIGroupEnv adds the CALICO_API_GROUP env var to all containers in
+// workload objects. This ensures every component uses the correct API group
+// during and after a datastore migration.
+func (c *componentHandler) injectAPIGroupEnv(obj client.Object) {
+	var podSpec *v1.PodSpec
+	switch o := obj.(type) {
+	case *apps.Deployment:
+		podSpec = &o.Spec.Template.Spec
+	case *apps.DaemonSet:
+		podSpec = &o.Spec.Template.Spec
+	case *apps.StatefulSet:
+		podSpec = &o.Spec.Template.Spec
+	case *batchv1.Job:
+		podSpec = &o.Spec.Template.Spec
+	case *batchv1.CronJob:
+		podSpec = &o.Spec.JobTemplate.Spec.Template.Spec
+	default:
+		return
+	}
+	for i := range podSpec.Containers {
+		podSpec.Containers[i].Env = mergeEnvVars(podSpec.Containers[i].Env, c.apiGroupEnvs)
+	}
+	for i := range podSpec.InitContainers {
+		podSpec.InitContainers[i].Env = mergeEnvVars(podSpec.InitContainers[i].Env, c.apiGroupEnvs)
+	}
+}
+
+// mergeEnvVars adds or updates env vars in existing. If an env var with the
+// same name already exists, its value is updated in place.
+func mergeEnvVars(existing []v1.EnvVar, toMerge []v1.EnvVar) []v1.EnvVar {
+	for _, env := range toMerge {
+		found := false
+		for i, e := range existing {
+			if e.Name == env.Name {
+				existing[i].Value = env.Value
+				existing[i].ValueFrom = env.ValueFrom
+				found = true
+				break
+			}
+		}
+		if !found {
+			existing = append(existing, env)
+		}
+	}
+	return existing
+}