vmware-tanzu
diff --git a/‎Makefile‎
Lines changed: 34 additions & 1 deletion b/‎Makefile‎
Lines changed: 34 additions & 1 deletion
diff --git a/‎build/image/eas/Dockerfile‎
Lines changed: 17 additions & 0 deletions b/‎build/image/eas/Dockerfile‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎build/yaml/crd/eas/eas.nsx.vmware.com_vpcipaddressusages.yaml‎
Lines changed: 3 additions & 1 deletion b/‎build/yaml/crd/eas/eas.nsx.vmware.com_vpcipaddressusages.yaml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎build/yaml/eas/apiservice.yaml‎
Lines changed: 1 addition & 1 deletion b/‎build/yaml/eas/apiservice.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎build/yaml/eas/clusterrole.yaml‎
Lines changed: 3 additions & 0 deletions b/‎build/yaml/eas/clusterrole.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎build/yaml/eas/eas-service.yaml‎
Lines changed: 19 additions & 0 deletions b/‎build/yaml/eas/eas-service.yaml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎build/yaml/eas/service.yaml‎
Lines changed: 0 additions & 12 deletions b/‎build/yaml/eas/service.yaml‎
Lines changed: 0 additions & 12 deletions
diff --git a/‎cmd_eas/main.go‎
Lines changed: 136 additions & 0 deletions b/‎cmd_eas/main.go‎
Lines changed: 136 additions & 0 deletions
@@ -46,7 +46,9 @@ changecrd: manifests generate generate-api-docs
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="github.com/vmware-tanzu/nsx-operator/pkg/apis/legacy/v1alpha1" output:crd:artifacts:config=build/yaml/crd/legacy/
 	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="github.com/vmware-tanzu/nsx-operator/pkg/apis/vpc/v1alpha1" output:crd:artifacts:config=build/yaml/crd/vpc/
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="github.com/vmware-tanzu/nsx-operator/pkg/apis/eas/v1alpha1" output:crd:artifacts:config=build/yaml/crd/eas/
+# NOTE: EAS types are served by the generic API server (via APIService), NOT as CRDs.
+# Do NOT run controller-gen crd for pkg/apis/eas/v1alpha1 — installing EAS CRDs alongside
+# the APIService causes duplicate-resource conflicts in kube-apiserver.
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -97,6 +99,11 @@ build-clean: generate fmt vet ## Build clean binary.
 	@mkdir -p $(BINDIR)
 	GOOS=linux go build -o $(BINDIR)/clean $(GOFLAGS) -ldflags '$(LDFLAGS)' cmd_clean/main.go
 
+.PHONY: build-eas
+build-eas: generate fmt vet ## Build EAS (Extension API Server) binary.
+	@mkdir -p $(BINDIR)
+	GOOS=linux go build -o $(BINDIR)/eas $(GOFLAGS) -ldflags '$(LDFLAGS)' cmd_eas/main.go
+
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./cmd/main.go
@@ -113,6 +120,10 @@ docker-push: ## Push docker image with the manager.
 photon:
 	docker build -t github.com/vmware-tanzu/nsx-operator -f build/image/photon/Dockerfile .
 
+.PHONY: eas
+eas:
+	docker build -t github.com/vmware-tanzu/nsx-eas -f build/image/eas/Dockerfile .
+
 .PHONY: clean
 clean:
 	@rm -rf $(BINDIR)
@@ -164,6 +175,28 @@ code-generator: ## Download code-generator locally if necessary.
 generated: code-generator
 	./hack/update-codegen.sh
 
+OPENAPI_GEN = $(shell pwd)/bin/openapi-gen
+# openapi-gen moved from k8s.io/code-generator to k8s.io/kube-openapi (since ~v0.27).
+# We install it directly via "go install" in the project root so it uses the
+# version already pinned in go.mod without needing to create a throw-away module.
+.PHONY: openapi-gen
+openapi-gen: ## Build openapi-gen binary into bin/ (uses k8s.io/kube-openapi version from go.mod).
+	@[ -f $(OPENAPI_GEN) ] || GOBIN=$(CURDIR)/bin go install k8s.io/kube-openapi/cmd/openapi-gen
+
+.PHONY: generate-eas-openapi
+generate-eas-openapi: openapi-gen ## Generate OpenAPI definitions for EAS types plus the apimachinery meta/v1 and version types they reference.
+	$(OPENAPI_GEN) \
+	  --output-dir     pkg/apis/eas/v1alpha1 \
+	  --output-pkg     github.com/vmware-tanzu/nsx-operator/pkg/apis/eas/v1alpha1 \
+	  --output-file    zz_generated.openapi.go \
+	  --go-header-file hack/boilerplate.go.txt \
+	  --report-filename - \
+	  github.com/vmware-tanzu/nsx-operator/pkg/apis/eas/v1alpha1 \
+	  k8s.io/apimachinery/pkg/apis/meta/v1 \
+	  k8s.io/apimachinery/pkg/version
+	@echo ""
+	@echo "Generated pkg/apis/eas/v1alpha1/zz_generated.openapi.go"
+
 CRD_REF_DOCS = $(shell pwd)/bin/crd-ref-docs
 .PHONY: crd-ref-docs
 crd-ref-docs: ## Install crd-ref-docs
 
@@ -0,0 +1,17 @@
+FROM golang:1.25.7 as golang-build
+
+WORKDIR /source
+
+COPY . /source
+RUN CGO_ENABLED=0 go build -o eas cmd_eas/main.go
+
+FROM photon
+
+RUN tdnf -y install shadow && \
+    useradd -s /bin/bash eas
+
+COPY --from=golang-build /source/eas /usr/local/bin/
+
+USER eas
+
+ENTRYPOINT ["/usr/local/bin/eas"]
@@ -107,7 +107,9 @@ spec:
                     - start
                     type: object
                   type: array
-                name:
+                ipBlockName:
+                  description: IPBlockName is the NSX resource ID of the IP block
+                    (the leaf segment of the policy path).
                   type: string
                 percentageUsed:
                   description: Percentage of used IP address space.
 
@@ -10,4 +10,4 @@ spec:
   service:
     name: nsx-eas
     namespace: vmware-system-nsx
-  insecureSkipTLSVerify: true
+  insecureSkipTLSVerify: true
@@ -10,6 +10,9 @@ rules:
   - subnetippools
   - subnetdhcpserverstats
   verbs: ["get", "list"]
+- apiGroups: ["apiregistration.k8s.io"]
+  resources: ["apiservices"]
+  verbs: ["get", "create", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nsx-eas
+  namespace: vmware-system-nsx
+  labels:
+    app.kubernetes.io/name: service
+    app.kubernetes.io/instance: eas-service
+    app.kubernetes.io/component: eas
+    app.kubernetes.io/created-by: nsx-operator
+    app.kubernetes.io/part-of: nsx-operator
+    app.kubernetes.io/managed-by: kustomize
+spec:
+  ports:
+  - port: 443
+    targetPort: 9553
+    protocol: TCP
+  selector:
+    component: nsx-ncp
@@ -0,0 +1,136 @@
+/* Copyright © 2026 Broadcom, Inc. All Rights Reserved.
+   SPDX-License-Identifier: Apache-2.0 */
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+
+	vpcv1alpha1 "github.com/vmware-tanzu/nsx-operator/pkg/apis/vpc/v1alpha1"
+	"github.com/vmware-tanzu/nsx-operator/pkg/config"
+	"github.com/vmware-tanzu/nsx-operator/pkg/eas"
+	"github.com/vmware-tanzu/nsx-operator/pkg/eas/server"
+	"github.com/vmware-tanzu/nsx-operator/pkg/logger"
+	"github.com/vmware-tanzu/nsx-operator/pkg/nsx"
+	pkgutil "github.com/vmware-tanzu/nsx-operator/pkg/util"
+)
+
+var (
+	// scheme is the controller-runtime manager's scheme.
+	// It only needs types that the VPC info provider and EAS storage layer
+	// read from kube-apiserver (VPCNetworkConfiguration, Subnet …).
+	// EAS API types (VPCIPAddressUsage etc.) are served entirely from NSX data
+	// and live in the generic API server's own scheme (pkg/eas/server/scheme.go).
+	scheme = runtime.NewScheme()
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+	utilruntime.Must(vpcv1alpha1.AddToScheme(scheme))
+}
+
+func main() {
+	// config.AddFlags registers all flags (including -nsxconfig and -log-level)
+	// and calls flag.Parse() internally.
+	config.AddFlags()
+
+	cf, err := config.NewNSXOperatorConfigFromFile()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to read config: %v\n", err)
+		os.Exit(1)
+	}
+
+	log := logger.ZapCustomLogger(cf.DefaultConfig.Debug, config.LogLevel)
+	logger.Log = log
+	// Register logger with controller-runtime to suppress "log.SetLogger(...) was never called" warning.
+	logf.SetLogger(log.Logger)
+
+	log.Info("Starting NSX Extension API Server")
+
+	// Generate TLS certificates for the EAS HTTPS server.
+	// The generic API server (k8s.io/apiserver) uses dynamic certificate loading
+	// via dynamiccertificates.NewDynamicServingContentFromFiles, so it
+	// automatically picks up renewed cert files without a pod restart.
+	// The returned CA PEM is injected into the APIService caBundle so that
+	// kube-apiserver can verify the EAS TLS connection.
+	caCert, err := pkgutil.GenerateEASCerts()
+	if err != nil {
+		log.Error(err, "Failed to generate EAS certificates")
+		os.Exit(1)
+	}
+	log.Info("EAS certificates generated successfully")
+	go refreshEASCertPeriodically()
+
+	// Initialize NSX client.
+	nsxClient := nsx.GetClient(cf)
+	if nsxClient == nil {
+		log.Error(nil, "Failed to get NSX client")
+		os.Exit(1)
+	}
+	log.Info("NSX client initialized")
+
+	// Build the k8s rest config and a controller-runtime manager.
+	// EAS is read-only so leader election is disabled — all replicas serve
+	// concurrently, load-balanced by the kube Service.
+	cfg, err := pkgutil.GetConfig()
+	if err != nil {
+		log.Error(err, "Failed to get REST config for manager")
+		os.Exit(1)
+	}
+
+	// Health and readiness probes are served by the generic API server on the
+	// EAS port (default 9553) at /healthz and /readyz over HTTPS.
+	// The NSX connectivity check is wired into /readyz via EASServer so that
+	// the pod is removed from Service endpoints when NSX is unreachable.
+	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
+		Scheme:         scheme,
+		LeaderElection: false,
+		// Metrics and health probes are both handled by the generic API server;
+		// disable the controller-runtime sidecars to avoid unused open ports.
+		Metrics:                metricsserver.Options{BindAddress: "0"},
+		HealthProbeBindAddress: "0",
+	})
+	if err != nil {
+		log.Error(err, "Failed to create manager")
+		os.Exit(1)
+	}
+
+	vpcProvider := eas.NewK8sVPCInfoProvider(mgr.GetClient())
+	srv := server.NewEASServer(nsxClient, vpcProvider, mgr.GetClient(), cfg, caCert)
+	if err := mgr.Add(srv); err != nil {
+		log.Error(err, "Failed to add EAS server to manager")
+		os.Exit(1)
+	}
+
+	log.Info("Starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		log.Error(err, "Failed to start manager")
+		os.Exit(1)
+	}
+}
+
+// refreshEASCertPeriodically regenerates the EAS TLS certificate every 30 days.
+// The generic API server loads certs via dynamiccertificates.NewDynamicServingContentFromFiles,
+// which watches the cert files for changes and reloads them automatically — so new
+// certs are picked up without a pod restart.
+func refreshEASCertPeriodically() {
+	ticker := time.NewTicker(30 * 24 * time.Hour)
+	defer ticker.Stop()
+	for range ticker.C {
+		logger.Log.Info("Refreshing EAS certificates...")
+		if _, err := pkgutil.GenerateEASCerts(); err != nil {
+			logger.Log.Error(err, "Failed to refresh EAS certificates")
+		} else {
+			logger.Log.Info("EAS certificates refreshed successfully")
+		}
+	}
+}