Add Inventory Controller watchers and VM tag management for VKS IDPS support

[yuntanghsu]

Add NSXServiceAccount and VirtualMachine watchers to the Inventory Controller, along with add/remove VM tag functionality in the Inventory Service. This enables tagging NSX Inventory VMs with nsx-op/cluster-name to support IDPS correlation of Kubernetes objects to IPs in VKS clusters.

Key changes:

• Add SupervisorClusterName field to NSXServiceAccountStatus and CRD schema, with backfill logic for already-realized ServiceAccounts
• Implement VirtualMachine informer that enqueues running VKS VMs for tag processing, with a dedicated delete handler to ensure taggedVMs store cleanup (avoiding memory leak)
• Implement NSXServiceAccount informer that enqueues VMs on SA realization and deletion for tag add/remove
• Add SyncVirtualMachineTag with idempotent add/remove logic using NSX Fabric API (POST update_tags), backed by in-memory taggedVMs store rehydrated from NSX on startup via initTaggedVMs
• Fix HandleHTTPResponse to accept 204 No Content and empty bodies
• Add comprehensive unit tests for all handlers and service logic

VGL-51541

Signed-off-by: Yun-Tang Hsu yun-tang.hsu@broadcom.com

[zhengxiexie]

Can one of the admins verify this patch?

[codecov-commenter]

Codecov Report

❌ Patch coverage is 99.63504% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 74.81%. Comparing base (6f7ddad) to head (8a497b9).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
.../nsxserviceaccount/nsxserviceaccount_controller.go	88.88%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1399      +/-   ##
==========================================
- Coverage   76.77%   74.81%   -1.96%     
==========================================
  Files         151      154       +3     
  Lines       21315    21600     +285     
==========================================
- Hits        16364    16160     -204     
+ Misses       3782     3781       -1     
- Partials     1169     1659     +490     

Flag	Coverage Δ
unit-tests	74.81% <99.63%> (-1.96%)	⬇️

Files with missing lines	Coverage Δ
pkg/controllers/inventory/inventory_controller.go	58.76% <ø> (-19.37%)	⬇️
...controllers/inventory/nsxserviceaccount_handler.go	100.00% <100.00%> (ø)
...kg/controllers/inventory/virtualmachine_handler.go	100.00% <100.00%> (ø)
pkg/nsx/services/inventory/inventory.go	48.51% <100.00%> (-15.56%)	⬇️
pkg/nsx/services/inventory/vm.go	100.00% <100.00%> (ø)
pkg/nsx/services/nsxserviceaccount/cluster.go	64.03% <100.00%> (-16.59%)	⬇️
pkg/nsx/util/utils.go	88.01% <100.00%> (ø)
.../nsxserviceaccount/nsxserviceaccount_controller.go	52.47% <88.88%> (-14.04%)	⬇️

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[salv-orlando]

With the exception of the above realization check, handleNSXServiceAccount and handleNSXServiceAccountDelete are exactly the same.

I think it should be ok to have this check even in the deletion handler, so maybe could we just remove handleNSXServiceAccountDelete?

[yuntanghsu]

Could the NSXServiceAccount somehow become unrealized? I separated them because if the NSXServiceAccount becomes unrealized, the update and delete functions will skip it, and the VM's tag won't be removed.

[salv-orlando]

dumb question: do you know if it's possible to pass a condition on ownerreferences to listoptions?
This should allow us to simply fetch the service account for a cluster

[yuntanghsu]

K8s ListOptions does not support filtering by ownerReferences fields. I think it should be fine as we only have very few NSXServiceAccounts per namespace?