Add EAS api implementation

1. add a new eas service in nsx-operator
2. register eas service to k8s api server
3. start a http service on 9553 port
4. add eas service implentations for ip usages api yamls

Author: seanpang-vmware

Makefile

@@ -97,6 +97,11 @@ build-clean: generate fmt vet ## Build clean binary.
 	@mkdir -p $(BINDIR)
 	GOOS=linux go build -o $(BINDIR)/clean $(GOFLAGS) -ldflags '$(LDFLAGS)' cmd_clean/main.go
 
+.PHONY: build-eas
+build-eas: generate fmt vet ## Build EAS (Extension API Server) binary.
+	@mkdir -p $(BINDIR)
+	GOOS=linux go build -o $(BINDIR)/eas $(GOFLAGS) -ldflags '$(LDFLAGS)' cmd_eas/main.go
+
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./cmd/main.go
@@ -113,6 +118,10 @@ docker-push: ## Push docker image with the manager.
 photon:
 	docker build -t github.com/vmware-tanzu/nsx-operator -f build/image/photon/Dockerfile .
 
+.PHONY: eas
+eas:
+	docker build -t github.com/vmware-tanzu/nsx-eas -f build/image/eas/Dockerfile .
+
 .PHONY: clean
 clean:
 	@rm -rf $(BINDIR)

build/image/eas/Dockerfile

@@ -0,0 +1,17 @@
+FROM golang:1.25.7 as golang-build
+
+WORKDIR /source
+
+COPY . /source
+RUN CGO_ENABLED=0 go build -o eas cmd_eas/main.go
+
+FROM photon
+
+RUN tdnf -y install shadow && \
+    useradd -s /bin/bash eas
+
+COPY --from=golang-build /source/eas /usr/local/bin/
+
+USER eas
+
+ENTRYPOINT ["/usr/local/bin/eas"]

build/yaml/crd/eas/eas.nsx.vmware.com_vpcipaddressusages.yaml

@@ -107,7 +107,9 @@ spec:
                     - start
                     type: object
                   type: array
-                name:
+                ipBlockName:
+                  description: IPBlockName is the NSX resource ID of the IP block
+                    (the leaf segment of the policy path).
                   type: string
                 percentageUsed:
                   description: Percentage of used IP address space.

build/yaml/eas/apiservice.yaml

@@ -10,4 +10,4 @@ spec:
   service:
     name: nsx-eas
     namespace: vmware-system-nsx
-  insecureSkipTLSVerify: true
+  insecureSkipTLSVerify: true

build/yaml/eas/clusterrole.yaml

@@ -10,6 +10,9 @@ rules:
   - subnetippools
   - subnetdhcpserverstats
   verbs: ["get", "list"]
+- apiGroups: ["apiregistration.k8s.io"]
+  resources: ["apiservices"]
+  verbs: ["get", "create", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

build/yaml/eas/eas-service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nsx-eas
+  namespace: vmware-system-nsx
+  labels:
+    app.kubernetes.io/name: service
+    app.kubernetes.io/instance: eas-service
+    app.kubernetes.io/component: eas
+    app.kubernetes.io/created-by: nsx-operator
+    app.kubernetes.io/part-of: nsx-operator
+    app.kubernetes.io/managed-by: kustomize
+spec:
+  ports:
+  - port: 443
+    targetPort: 9553
+    protocol: TCP
+  selector:
+    component: nsx-ncp

build/yaml/eas/service.yaml

@@ -0,0 +1,148 @@
+/* Copyright © 2026 Broadcom, Inc. All Rights Reserved.
+   SPDX-License-Identifier: Apache-2.0 */
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+
+	vpcv1alpha1 "github.com/vmware-tanzu/nsx-operator/pkg/apis/vpc/v1alpha1"
+	"github.com/vmware-tanzu/nsx-operator/pkg/config"
+	"github.com/vmware-tanzu/nsx-operator/pkg/eas"
+	"github.com/vmware-tanzu/nsx-operator/pkg/eas/server"
+	"github.com/vmware-tanzu/nsx-operator/pkg/logger"
+	"github.com/vmware-tanzu/nsx-operator/pkg/nsx"
+	pkgutil "github.com/vmware-tanzu/nsx-operator/pkg/util"
+)
+
+var (
+	// scheme is the controller-runtime manager's scheme.
+	// It only needs types that the VPC info provider and EAS storage layer
+	// read from kube-apiserver (VPCNetworkConfiguration, Subnet …).
+	// EAS API types (VPCIPAddressUsage etc.) are served entirely from NSX data
+	// and live in the generic API server's own scheme (pkg/eas/server/scheme.go).
+	scheme         = runtime.NewScheme()
+	configFilePath string
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+	utilruntime.Must(vpcv1alpha1.AddToScheme(scheme))
+}
+
+func main() {
+	var logLevel int
+	flag.StringVar(&configFilePath, "nsxconfig", "/etc/nsx-ujo/ncp.ini", "NSX Operator configuration file path")
+	flag.IntVar(&logLevel, "log-level", 0, "Log verbosity level (0=info, 1=debug, 2=trace)")
+	flag.StringVar(&config.ProbeAddr, "health-probe-bind-address", ":8385", "The address the probe endpoint binds to.")
+	flag.Parse()
+
+	config.UpdateConfigFilePath(configFilePath)
+	cf, err := config.NewNSXOperatorConfigFromFile()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to read config: %v\n", err)
+		os.Exit(1)
+	}
+
+	log := logger.ZapCustomLogger(cf.DefaultConfig.Debug, logLevel)
+	logger.Log = log
+	// Register logger with controller-runtime to suppress "log.SetLogger(...) was never called" warning.
+	logf.SetLogger(log.Logger)
+
+	log.Info("Starting NSX Extension API Server")
+
+	// Generate TLS certificates for the EAS HTTPS server.
+	// The generic API server (k8s.io/apiserver) uses dynamic certificate loading
+	// via dynamiccertificates.NewDynamicServingContentFromFiles, so it
+	// automatically picks up renewed cert files without a pod restart.
+	// The returned CA PEM is injected into the APIService caBundle so that
+	// kube-apiserver can verify the EAS TLS connection.
+	caCert, err := pkgutil.GenerateEASCerts()
+	if err != nil {
+		log.Error(err, "Failed to generate EAS certificates")
+		os.Exit(1)
+	}
+	log.Info("EAS certificates generated successfully")
+	go refreshEASCertPeriodically()
+
+	// Initialize NSX client.
+	nsxClient := nsx.GetClient(cf)
+	if nsxClient == nil {
+		log.Error(nil, "Failed to get NSX client")
+		os.Exit(1)
+	}
+	log.Info("NSX client initialized")
+
+	// Build the k8s rest config and a controller-runtime manager.
+	// EAS is read-only so leader election is disabled — all replicas serve
+	// concurrently, load-balanced by the kube Service.
+	cfg, err := pkgutil.GetConfig()
+	if err != nil {
+		log.Error(err, "Failed to get REST config for manager")
+		os.Exit(1)
+	}
+
+	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
+		Scheme:         scheme,
+		LeaderElection: false,
+		// Metrics are served by the generic API server at /metrics on the EAS port.
+		// Disable the controller-runtime metrics server to avoid port conflicts.
+		Metrics: metricsserver.Options{BindAddress: "0"},
+		// Liveness/readiness probes for the pod (distinct from the generic API
+		// server's built-in /healthz, /readyz, /livez endpoints on the EAS port).
+		HealthProbeBindAddress: config.ProbeAddr,
+	})
+	if err != nil {
+		log.Error(err, "Failed to create manager")
+		os.Exit(1)
+	}
+
+	vpcProvider := eas.NewK8sVPCInfoProvider(mgr.GetClient())
+	srv := server.NewEASServer(nsxClient, vpcProvider, mgr.GetClient(), cfg, caCert)
+	if err := mgr.Add(srv); err != nil {
+		log.Error(err, "Failed to add EAS server to manager")
+		os.Exit(1)
+	}
+
+	if err := mgr.AddHealthzCheck("healthz", nsxClient.NSXChecker.CheckNSXHealth); err != nil {
+		log.Error(err, "Failed to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", nsxClient.NSXChecker.CheckNSXHealth); err != nil {
+		log.Error(err, "Failed to set up ready check")
+		os.Exit(1)
+	}
+
+	log.Info("Starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		log.Error(err, "Failed to start manager")
+		os.Exit(1)
+	}
+}
+
+// refreshEASCertPeriodically regenerates the EAS TLS certificate every 30 days.
+// The generic API server loads certs via dynamiccertificates.NewDynamicServingContentFromFiles,
+// which watches the cert files for changes and reloads them automatically — so new
+// certs are picked up without a pod restart.
+func refreshEASCertPeriodically() {
+	ticker := time.NewTicker(30 * 24 * time.Hour)
+	defer ticker.Stop()
+	for range ticker.C {
+		logger.Log.Info("Refreshing EAS certificates...")
+		if _, err := pkgutil.GenerateEASCerts(); err != nil {
+			logger.Log.Error(err, "Failed to refresh EAS certificates")
+		} else {
+			logger.Log.Info("EAS certificates refreshed successfully")
+		}
+	}
+}

cmd_eas/main.go

@@ -21,7 +21,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/kevinburke/ssh_config v1.2.0
 	github.com/openlyinc/pointy v1.1.2
-	github.com/prometheus/client_golang v1.19.1
+	github.com/prometheus/client_golang v1.23.2
 	github.com/rs/zerolog v1.34.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.11.1
@@ -35,41 +35,58 @@ require (
 	github.com/vmware/vsphere-automation-sdk-go/services/nsxt v0.0.0-20260310075027-d32fca6a7b22
 	github.com/vmware/vsphere-automation-sdk-go/services/nsxt-mp v0.0.0-20260310075027-d32fca6a7b22
 	go.uber.org/automaxprocs v1.5.3
-	go.uber.org/zap v1.26.0
+	go.uber.org/zap v1.27.0
 	golang.org/x/crypto v0.47.0
 	golang.org/x/sync v0.19.0
 	golang.org/x/time v0.14.0
 	gopkg.in/ini.v1 v1.66.4
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.35.1
 	k8s.io/apimachinery v0.35.1
+	k8s.io/apiserver v0.35.1
 	k8s.io/client-go v0.35.1
 	k8s.io/code-generator v0.31.0
 	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.19.0
 )
 
 require (
+	cel.dev/expr v0.24.0 // indirect
+	github.com/NYTimes/gziphandler v1.1.1 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/beevik/etree v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/coreos/go-semver v0.3.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gibson042/canonicaljson-go v1.0.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.2 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/cel-go v0.26.0 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
+	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mailru/easyjson v0.9.1 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
@@ -82,16 +99,31 @@ require (
 	github.com/onsi/gomega v1.39.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.55.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/cobra v1.10.0 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.32.0 // indirect
 	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
@@ -100,14 +132,21 @@ require (
 	golang.org/x/text v0.33.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/grpc v1.72.2 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.31.0 // indirect
+	k8s.io/component-base v0.35.1 // indirect
 	k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kms v0.35.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect