Add From/To fields in SecurityPolicy

[wenqiq]

Replace the current Sources/Destinations fields with From/To in SecurityPolicy CRD, this aligns with Kubernetes NetworkPolicy naming conventions.
Introduce from/to peer selectors as the preferred fields in SecurityPolicy rules.
Keep sources/destinations for backward compatibility and normalize aliases so from/to take precedence.
Update CRD schemas, samples, docs, and unit tests accordingly.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 74.41860% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.75%. Comparing base (315ffc8) to head (b9716ad).

Files with missing lines	Patch %	Lines
pkg/nsx/services/securitypolicy/firewall.go	64.70%	0 Missing and 6 partials ⚠️
pkg/nsx/services/securitypolicy/builder.go	80.95%	0 Missing and 4 partials ⚠️
pkg/nsx/services/securitypolicy/expand.go	80.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1391      +/-   ##
==========================================
- Coverage   75.34%   73.75%   -1.59%     
==========================================
  Files         151      151              
  Lines       21317    21375      +58     
==========================================
- Hits        16062    15766     -296     
- Misses       3784     3815      +31     
- Partials     1471     1794     +323     

Flag	Coverage Δ
unit-tests	73.75% <74.41%> (-1.59%)	⬇️

Files with missing lines	Coverage Δ
pkg/nsx/services/securitypolicy/expand.go	69.49% <80.00%> (-3.47%)	⬇️
pkg/nsx/services/securitypolicy/builder.go	71.15% <80.95%> (-16.45%)	⬇️
pkg/nsx/services/securitypolicy/firewall.go	60.46% <64.70%> (-11.39%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[timdengyun]

This is for T1 mode, I think we don't need to change it, it's in deprecated stage.

[timdengyun]

but internally controller logic, we don't have a real internal version of CRD, in fact, we use v1alpha1.SecurityPolicy acting as an internal version, and do CRD conversion.
https://github.com/vmware-tanzu/nsx-operator/blob/main/pkg/controllers/securitypolicy/securitypolicy_controller.go#L149
So, if necessary, we can keep this change in T1 and make both CRD definitions identical except group version.

[timdengyun]

we might want to keep rule.From and remove rule.Sources later, so, is better copy to rule.From.
This might need more changes where it's referring to rule.Source.

[wenqiq]

updated

[timdengyun]

but internally controller logic, we don't have a real internal version of CRD, in fact, we use v1alpha1.SecurityPolicy acting as an internal version, and do CRD conversion.
https://github.com/vmware-tanzu/nsx-operator/blob/main/pkg/controllers/securitypolicy/securitypolicy_controller.go#L149
So, if necessary, we can keep this change in T1 and make both CRD definitions identical except group version.

[timdengyun]

we should keep rule.From, since we want to deprecate rule.Source.
And fro upgrade case, we need to consider support both rule.Source and rule.From.
For upgrade, copy rule.Source to rule.From.
For greenfield, we can only support From.

[wenqiq]

Thanks for reviewing. The current code handles this by ensuring compatibility between the two fields. When both "From" and "Sources" are present, the content of "From" is prioritized. To minimize changes, "Sources" is still used internally. Therefore, the condition here is to replace "Sources" with "From" if the "From" field is not empty.

[timdengyun]

It's ok. we can reduce changes.

[heypnus]

Could you please update the "Testing done" in the patch, especially the upgrade case? Thanks.

[heypnus]

typo: destinations

[heypnus]

For the upgrade case, all security policy's hash will change, right? Will it cause the security policy downtime during the upgrade?

[timdengyun]

Right, please added test cases.