Add EAS api implementation

1. add a new eas service in nsx-operator
2. register eas service to k8s api server
3. start a http service on 9553 port
4. add eas service implentations for ip usages api yamls

Author: seanpang-vmware

Makefile

@@ -97,6 +97,11 @@ build-clean: generate fmt vet ## Build clean binary.
 	@mkdir -p $(BINDIR)
 	GOOS=linux go build -o $(BINDIR)/clean $(GOFLAGS) -ldflags '$(LDFLAGS)' cmd_clean/main.go
 
+.PHONY: build-eas
+build-eas: generate fmt vet ## Build EAS (Extension API Server) binary.
+	@mkdir -p $(BINDIR)
+	GOOS=linux go build -o $(BINDIR)/eas $(GOFLAGS) -ldflags '$(LDFLAGS)' cmd_eas/main.go
+
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./cmd/main.go
@@ -113,6 +118,10 @@ docker-push: ## Push docker image with the manager.
 photon:
 	docker build -t github.com/vmware-tanzu/nsx-operator -f build/image/photon/Dockerfile .
 
+.PHONY: eas
+eas:
+	docker build -t github.com/vmware-tanzu/nsx-eas -f build/image/eas/Dockerfile .
+
 .PHONY: clean
 clean:
 	@rm -rf $(BINDIR)

build/image/eas/Dockerfile

@@ -0,0 +1,17 @@
+FROM golang:1.25.7 as golang-build
+
+WORKDIR /source
+
+COPY . /source
+RUN CGO_ENABLED=0 go build -o eas cmd_eas/main.go
+
+FROM photon
+
+RUN tdnf -y install shadow && \
+    useradd -s /bin/bash eas
+
+COPY --from=golang-build /source/eas /usr/local/bin/
+
+USER eas
+
+ENTRYPOINT ["/usr/local/bin/eas"]

build/yaml/eas/apiservice.yaml

@@ -10,4 +10,4 @@ spec:
   service:
     name: nsx-eas
     namespace: vmware-system-nsx
-  insecureSkipTLSVerify: true
+  insecureSkipTLSVerify: false

build/yaml/eas/clusterrole.yaml

@@ -9,7 +9,10 @@ rules:
   - ipblockusages
   - subnetippools
   - subnetdhcpserverstats
-  verbs: ["get", "list"]
+  verbs: ["get", "list", "update"]
+- apiGroups: ["apiregistration.k8s.io"]
+  resources: ["apiservices"]
+  verbs: ["get", "create", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

build/yaml/eas/eas-service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nsx-eas
+  namespace: vmware-system-nsx
+  labels:
+    app.kubernetes.io/name: service
+    app.kubernetes.io/instance: eas-service
+    app.kubernetes.io/component: eas
+    app.kubernetes.io/created-by: nsx-operator
+    app.kubernetes.io/part-of: nsx-operator
+    app.kubernetes.io/managed-by: kustomize
+spec:
+  ports:
+  - port: 443
+    targetPort: 9553
+    protocol: TCP
+  selector:
+    component: nsx-ncp

build/yaml/eas/service.yaml

@@ -0,0 +1,108 @@
+/* Copyright © 2026 Broadcom, Inc. All Rights Reserved.
+   SPDX-License-Identifier: Apache-2.0 */
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+
+	easv1alpha1 "github.com/vmware-tanzu/nsx-operator/pkg/apis/eas/v1alpha1"
+	vpcv1alpha1 "github.com/vmware-tanzu/nsx-operator/pkg/apis/vpc/v1alpha1"
+	"github.com/vmware-tanzu/nsx-operator/pkg/config"
+	"github.com/vmware-tanzu/nsx-operator/pkg/eas"
+	"github.com/vmware-tanzu/nsx-operator/pkg/eas/server"
+	"github.com/vmware-tanzu/nsx-operator/pkg/logger"
+	"github.com/vmware-tanzu/nsx-operator/pkg/nsx"
+	pkgutil "github.com/vmware-tanzu/nsx-operator/pkg/util"
+)
+
+var (
+	scheme         = runtime.NewScheme()
+	configFilePath string
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+	utilruntime.Must(easv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(vpcv1alpha1.AddToScheme(scheme))
+}
+
+func main() {
+	var logLevel int
+	flag.StringVar(&configFilePath, "nsxconfig", "/etc/nsx-ujo/ncp.ini", "NSX Operator configuration file path")
+	flag.IntVar(&logLevel, "log-level", 0, "Log verbosity level (0=info, 1=debug, 2=trace)")
+	flag.StringVar(&config.ProbeAddr, "health-probe-bind-address", ":8384", "The address the probe endpoint binds to.")
+	flag.Parse()
+
+	config.UpdateConfigFilePath(configFilePath)
+	cf, err := config.NewNSXOperatorConfigFromFile()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to read config: %v\n", err)
+		os.Exit(1)
+	}
+
+	log := logger.ZapCustomLogger(cf.DefaultConfig.Debug, logLevel)
+	logger.Log = log
+	// Register logger with controller-runtime to suppress "log.SetLogger(...) was never called" warning.
+	logf.SetLogger(log.Logger)
+
+	log.Info("Starting NSX Extension API Server")
+
+	// Initialize NSX client.
+	nsxClient := nsx.GetClient(cf)
+	if nsxClient == nil {
+		log.Error(nil, "Failed to get NSX client")
+		os.Exit(1)
+	}
+	log.Info("NSX client initialized")
+
+	// Get k8s config and create a manager.
+	// EAS is read-only so all replicas serve concurrently (no leader election).
+	cfg, err := pkgutil.GetConfig()
+	if err != nil {
+		log.Error(err, "Failed to get rest config for manager")
+		os.Exit(1)
+	}
+
+	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsserver.Options{BindAddress: "0"}, // disable metrics, shares container with nsx-ncp
+		HealthProbeBindAddress: config.ProbeAddr,
+	})
+	if err != nil {
+		log.Error(err, "Failed to create manager")
+		os.Exit(1)
+	}
+
+	vpcProvider := eas.NewK8sVPCInfoProvider(mgr.GetClient())
+	srv := server.NewEASServer(nsxClient, vpcProvider, mgr.GetClient(), cfg)
+	if err := mgr.Add(srv); err != nil {
+		log.Error(err, "Failed to add EAS server to manager")
+		os.Exit(1)
+	}
+
+	if err := mgr.AddHealthzCheck("healthz", nsxClient.NSXChecker.CheckNSXHealth); err != nil {
+		log.Error(err, "Failed to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		log.Error(err, "Failed to set up ready check")
+		os.Exit(1)
+	}
+
+	log.Info("Starting manager")
+	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+		log.Error(err, "Failed to start manager")
+		os.Exit(1)
+	}
+}