Add Inventory Controller watchers and VM tag management for VKS IDPS support

Add NSXServiceAccount and VirtualMachine watchers to the Inventory
Controller, along with add/remove VM tag functionality in the Inventory
Service. This enables tagging NSX Inventory VMs with nsx-op/cluster-name
to support IDPS correlation of Kubernetes objects to IPs in VKS clusters.

Key changes:
- Add SupervisorClusterName field to NSXServiceAccountStatus and CRD
  schema, with backfill logic for already-realized ServiceAccounts
- Implement VirtualMachine informer that enqueues running VKS VMs for
  tag processing, with a dedicated delete handler to ensure taggedVMs
  store cleanup (avoiding memory leak)
- Implement NSXServiceAccount informer that enqueues VMs on SA
  realization and deletion for tag add/remove
- Add SyncVirtualMachineTag with idempotent add/remove logic using
  NSX Fabric API (POST update_tags), backed by in-memory taggedVMs
  store rehydrated from NSX on startup via initTaggedVMs
- Fix HandleHTTPResponse to accept 204 No Content and empty bodies
- Add comprehensive unit tests for all handlers and service logic

VGL-51541

Signed-off-by: Yun-Tang Hsu <yun-tang.hsu@broadcom.com>

Author: yuntanghsu

build/yaml/crd/legacy/nsx.vmware.com_nsxserviceaccounts.yaml

@@ -154,6 +154,8 @@ spec:
                 type: object
               reason:
                 type: string
+              supervisorClusterName:
+                type: string
               secrets:
                 items:
                   properties:

pkg/apis/legacy/v1alpha1/nsxserviceaccount_types.go

@@ -66,14 +66,15 @@ type NSXServiceAccountStatus struct {
 	Reason string                 `json:"reason,omitempty"`
 	// Represents the realization status of a NSXServiceAccount's current state.
 	// Known .status.conditions.type is: "Realized"
-	Conditions       []metav1.Condition `json:"conditions,omitempty"`
-	VPCPath          string             `json:"vpcPath,omitempty"`
-	NSXManagers      []string           `json:"nsxManagers,omitempty"`
-	ProxyEndpoints   NSXProxyEndpoint   `json:"proxyEndpoints,omitempty"`
-	ClusterID        string             `json:"clusterID,omitempty"`
-	ClusterName      string             `json:"clusterName,omitempty"`
-	Secrets          []NSXSecret        `json:"secrets,omitempty"`
-	NSXRestoreStatus *NSXRestoreStatus  `json:"nsxRestoreStatus,omitempty"`
+	Conditions            []metav1.Condition `json:"conditions,omitempty"`
+	VPCPath               string             `json:"vpcPath,omitempty"`
+	NSXManagers           []string           `json:"nsxManagers,omitempty"`
+	ProxyEndpoints        NSXProxyEndpoint   `json:"proxyEndpoints,omitempty"`
+	ClusterID             string             `json:"clusterID,omitempty"`
+	ClusterName           string             `json:"clusterName,omitempty"`
+	SupervisorClusterName string             `json:"supervisorClusterName,omitempty"`
+	Secrets               []NSXSecret        `json:"secrets,omitempty"`
+	NSXRestoreStatus      *NSXRestoreStatus  `json:"nsxRestoreStatus,omitempty"`
 }
 
 // +genclient

pkg/controllers/inventory/inventory_controller.go

@@ -45,6 +45,8 @@ var (
 		watchIngress,
 		watchNode,
 		watchNetworkPolicy,
+		watchNSXServiceAccount,
+		watchVirtualMachine,
 	}
 )
 

pkg/controllers/inventory/inventory_controller_test.go

@@ -53,17 +53,27 @@ func (m *MockCache) List(ctx context.Context, list client.ObjectList, opts ...cl
 }
 func (m *MockCache) GetInformer(ctx context.Context, obj client.Object, opts ...cache.InformerGetOption) (cache.Informer, error) {
 	args := m.Called(ctx, obj)
-	return &MockInformer{}, args.Error(1)
+	informer, _ := args.Get(0).(cache.Informer)
+	return informer, args.Error(1)
 }
 
 type MockInformer struct {
 	mock.Mock
-	handlers toolscache.ResourceEventHandlerFuncs
+	handlers          toolscache.ResourceEventHandlerFuncs
+	registeredHandler toolscache.ResourceEventHandler
+	addHandlerErr     error
 	cache.Informer
 }
 
 func (m *MockInformer) AddEventHandler(handler toolscache.ResourceEventHandler) (toolscache.ResourceEventHandlerRegistration, error) {
-	if m != nil && m.handlers.AddFunc != nil {
+	if m == nil {
+		return nil, nil
+	}
+	if m.addHandlerErr != nil {
+		return nil, m.addHandlerErr
+	}
+	m.registeredHandler = handler
+	if m.handlers.AddFunc != nil {
 		m.handlers.AddFunc(handler)
 	}
 	return m, nil

pkg/controllers/inventory/nsxserviceaccount_handler.go

@@ -0,0 +1,126 @@
+package inventory
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	vmv1alpha1 "github.com/vmware-tanzu/vm-operator/api/v1alpha1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	nsxvmwarecomv1alpha1 "github.com/vmware-tanzu/nsx-operator/pkg/apis/legacy/v1alpha1"
+	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/inventory"
+)
+
+func watchNSXServiceAccount(c *InventoryController, mgr ctrl.Manager) error {
+	nsxSAInformer, err := mgr.GetCache().GetInformer(context.Background(), &nsxvmwarecomv1alpha1.NSXServiceAccount{})
+	if err != nil {
+		log.Error(err, "Failed to create NSXServiceAccount informer")
+		return err
+	}
+
+	_, err = nsxSAInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			c.handleNSXServiceAccount(obj)
+		},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			c.handleNSXServiceAccount(newObj)
+		},
+		DeleteFunc: func(obj interface{}) {
+			c.handleNSXServiceAccountDelete(obj)
+		},
+	})
+	if err != nil {
+		log.Error(err, "Failed to add NSXServiceAccount event handler")
+		return err
+	}
+	return nil
+}
+
+func (c *InventoryController) handleNSXServiceAccount(obj interface{}) {
+	var nsxSA *nsxvmwarecomv1alpha1.NSXServiceAccount
+	switch v := obj.(type) {
+	case *nsxvmwarecomv1alpha1.NSXServiceAccount:
+		nsxSA = v
+	case cache.DeletedFinalStateUnknown:
+		var ok bool
+		nsxSA, ok = v.Obj.(*nsxvmwarecomv1alpha1.NSXServiceAccount)
+		if !ok {
+			err := fmt.Errorf("obj is not valid *NSXServiceAccount")
+			log.Error(err, "DeletedFinalStateUnknown Obj is not *NSXServiceAccount")
+			return
+		}
+	}
+
+	if nsxSA.Status.Phase != nsxvmwarecomv1alpha1.NSXServiceAccountPhaseRealized {
+		log.Debug("Skip NSXServiceAccount not yet realized", "namespace", nsxSA.Namespace, "name", nsxSA.Name)
+		return
+	}
+
+	c.enqueueVMsForCluster(nsxSA)
+}
+
+func (c *InventoryController) handleNSXServiceAccountDelete(obj interface{}) {
+	var nsxSA *nsxvmwarecomv1alpha1.NSXServiceAccount
+	switch v := obj.(type) {
+	case *nsxvmwarecomv1alpha1.NSXServiceAccount:
+		nsxSA = v
+	case cache.DeletedFinalStateUnknown:
+		var ok bool
+		nsxSA, ok = v.Obj.(*nsxvmwarecomv1alpha1.NSXServiceAccount)
+		if !ok {
+			err := fmt.Errorf("obj is not valid *NSXServiceAccount")
+			log.Error(err, "DeletedFinalStateUnknown Obj is not *NSXServiceAccount")
+			return
+		}
+	}
+
+	log.Info("NSXServiceAccount deleted, enqueuing VMs for tag removal", "namespace", nsxSA.Namespace, "name", nsxSA.Name)
+	c.enqueueVMsForCluster(nsxSA)
+}
+
+// enqueueVMsForCluster lists VirtualMachines belonging to the NSXServiceAccount's
+// CAPI cluster and enqueues them to the inventory queue for VM tag processing.
+func (c *InventoryController) enqueueVMsForCluster(nsxSA *nsxvmwarecomv1alpha1.NSXServiceAccount) {
+	clusterName := getClusterNameFromSA(nsxSA)
+	if clusterName == "" {
+		log.Info("NSXServiceAccount has no Cluster OwnerReference, skipping VM enqueue",
+			"namespace", nsxSA.Namespace, "name", nsxSA.Name)
+		return
+	}
+
+	vmList := &vmv1alpha1.VirtualMachineList{}
+	if err := c.Client.List(context.Background(), vmList, &client.ListOptions{
+		Namespace:     nsxSA.Namespace,
+		LabelSelector: labels.SelectorFromSet(labels.Set{inventory.CAPIClusterNameLabel: clusterName}),
+	}); err != nil {
+		log.Error(err, "Failed to list VirtualMachines for cluster",
+			"namespace", nsxSA.Namespace, "cluster", clusterName)
+		return
+	}
+
+	for i := range vmList.Items {
+		vm := &vmList.Items[i]
+		log.Debug("Enqueuing VM from NSXServiceAccount event",
+			"namespace", vm.Namespace, "name", vm.Name, "cluster", clusterName)
+		key, _ := keyFunc(vm)
+		c.inventoryObjectQueue.Add(inventory.InventoryKey{
+			InventoryType: inventory.InventoryVirtualMachine,
+			ExternalId:    vm.Status.InstanceUUID,
+			Key:           key,
+		})
+	}
+}
+
+// getClusterNameFromSA extracts the CAPI Cluster name from the NSXServiceAccount's OwnerReferences.
+func getClusterNameFromSA(nsxSA *nsxvmwarecomv1alpha1.NSXServiceAccount) string {
+	for _, ref := range nsxSA.OwnerReferences {
+		if ref.Kind == "Cluster" && strings.Contains(ref.APIVersion, "cluster.x-k8s.io") {
+			return ref.Name
+		}
+	}
+	return ""
+}