Add Inventory Controller watchers and VM tag management for VKS IDPS support

Add NSXServiceAccount and VirtualMachine watchers to the Inventory
Controller, along with add/remove VM tag functionality in the Inventory
Service. This enables tagging NSX Inventory VMs with nsx-op/cluster-name
to support IDPS correlation of Kubernetes objects to IPs in VKS clusters.

Key changes:
- Add SupervisorClusterName field to NSXServiceAccountStatus and CRD
  schema, with backfill logic for already-realized ServiceAccounts
- Implement VirtualMachine informer that enqueues running VKS VMs for
  tag processing, with a dedicated delete handler to ensure taggedVMs
  store cleanup (avoiding memory leak)
- Implement NSXServiceAccount informer that enqueues VMs on SA
  realization and deletion for tag add/remove
- Add SyncVirtualMachineTag with idempotent add/remove logic using
  NSX Fabric API (POST update_tags), backed by in-memory taggedVMs
  store rehydrated from NSX on startup via initTaggedVMs
- Fix HandleHTTPResponse to accept 204 No Content and empty bodies
- Add comprehensive unit tests for all handlers and service logic

VGL-51541

Signed-off-by: Yun-Tang Hsu <yun-tang.hsu@broadcom.com>

Author: yuntanghsu

build/yaml/crd/legacy/nsx.vmware.com_nsxserviceaccounts.yaml

@@ -154,6 +154,8 @@ spec:
                 type: object
               reason:
                 type: string
+              supervisorClusterName:
+                type: string
               secrets:
                 items:
                   properties:

pkg/apis/legacy/v1alpha1/nsxserviceaccount_types.go

@@ -66,14 +66,15 @@ type NSXServiceAccountStatus struct {
 	Reason string                 `json:"reason,omitempty"`
 	// Represents the realization status of a NSXServiceAccount's current state.
 	// Known .status.conditions.type is: "Realized"
-	Conditions       []metav1.Condition `json:"conditions,omitempty"`
-	VPCPath          string             `json:"vpcPath,omitempty"`
-	NSXManagers      []string           `json:"nsxManagers,omitempty"`
-	ProxyEndpoints   NSXProxyEndpoint   `json:"proxyEndpoints,omitempty"`
-	ClusterID        string             `json:"clusterID,omitempty"`
-	ClusterName      string             `json:"clusterName,omitempty"`
-	Secrets          []NSXSecret        `json:"secrets,omitempty"`
-	NSXRestoreStatus *NSXRestoreStatus  `json:"nsxRestoreStatus,omitempty"`
+	Conditions            []metav1.Condition `json:"conditions,omitempty"`
+	VPCPath               string             `json:"vpcPath,omitempty"`
+	NSXManagers           []string           `json:"nsxManagers,omitempty"`
+	ProxyEndpoints        NSXProxyEndpoint   `json:"proxyEndpoints,omitempty"`
+	ClusterID             string             `json:"clusterID,omitempty"`
+	ClusterName           string             `json:"clusterName,omitempty"`
+	SupervisorClusterName string             `json:"supervisorClusterName,omitempty"`
+	Secrets               []NSXSecret        `json:"secrets,omitempty"`
+	NSXRestoreStatus      *NSXRestoreStatus  `json:"nsxRestoreStatus,omitempty"`
 }
 
 // +genclient

pkg/controllers/inventory/inventory_controller.go

@@ -45,6 +45,8 @@ var (
 		watchIngress,
 		watchNode,
 		watchNetworkPolicy,
+		watchNSXServiceAccount,
+		watchVirtualMachine,
 	}
 )
 

pkg/controllers/inventory/nsxserviceaccount_handler.go

@@ -0,0 +1,107 @@
+package inventory
+
+import (
+	"context"
+	"fmt"
+
+	vmv1alpha1 "github.com/vmware-tanzu/vm-operator/api/v1alpha1"
+	"k8s.io/client-go/tools/cache"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	nsxvmwarecomv1alpha1 "github.com/vmware-tanzu/nsx-operator/pkg/apis/legacy/v1alpha1"
+	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/inventory"
+)
+
+func watchNSXServiceAccount(c *InventoryController, mgr ctrl.Manager) error {
+	nsxSAInformer, err := mgr.GetCache().GetInformer(context.Background(), &nsxvmwarecomv1alpha1.NSXServiceAccount{})
+	if err != nil {
+		log.Error(err, "Failed to create NSXServiceAccount informer")
+		return err
+	}
+
+	_, err = nsxSAInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			c.handleNSXServiceAccount(obj)
+		},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			c.handleNSXServiceAccount(newObj)
+		},
+		DeleteFunc: func(obj interface{}) {
+			c.handleNSXServiceAccountDelete(obj)
+		},
+	})
+	if err != nil {
+		log.Error(err, "Failed to add NSXServiceAccount event handler")
+		return err
+	}
+	return nil
+}
+
+func (c *InventoryController) handleNSXServiceAccount(obj interface{}) {
+	var nsxSA *nsxvmwarecomv1alpha1.NSXServiceAccount
+	switch v := obj.(type) {
+	case *nsxvmwarecomv1alpha1.NSXServiceAccount:
+		nsxSA = v
+	case cache.DeletedFinalStateUnknown:
+		var ok bool
+		nsxSA, ok = v.Obj.(*nsxvmwarecomv1alpha1.NSXServiceAccount)
+		if !ok {
+			err := fmt.Errorf("obj is not valid *NSXServiceAccount")
+			log.Error(err, "DeletedFinalStateUnknown Obj is not *NSXServiceAccount")
+			return
+		}
+	}
+
+	if nsxSA.Status.Phase != nsxvmwarecomv1alpha1.NSXServiceAccountPhaseRealized {
+		log.Debug("Skip NSXServiceAccount not yet realized", "namespace", nsxSA.Namespace, "name", nsxSA.Name)
+		return
+	}
+
+	c.enqueueVMsForCluster(nsxSA)
+}
+
+func (c *InventoryController) handleNSXServiceAccountDelete(obj interface{}) {
+	var nsxSA *nsxvmwarecomv1alpha1.NSXServiceAccount
+	switch v := obj.(type) {
+	case *nsxvmwarecomv1alpha1.NSXServiceAccount:
+		nsxSA = v
+	case cache.DeletedFinalStateUnknown:
+		var ok bool
+		nsxSA, ok = v.Obj.(*nsxvmwarecomv1alpha1.NSXServiceAccount)
+		if !ok {
+			err := fmt.Errorf("obj is not valid *NSXServiceAccount")
+			log.Error(err, "DeletedFinalStateUnknown Obj is not *NSXServiceAccount")
+			return
+		}
+	}
+
+	log.Info("NSXServiceAccount deleted, enqueuing VMs for tag removal", "namespace", nsxSA.Namespace, "name", nsxSA.Name)
+	c.enqueueVMsForCluster(nsxSA)
+}
+
+// enqueueVMsForCluster lists all VirtualMachines in the NSXServiceAccount's namespace
+// and enqueues them to the inventory queue for VM tag processing.
+func (c *InventoryController) enqueueVMsForCluster(nsxSA *nsxvmwarecomv1alpha1.NSXServiceAccount) {
+	vmList := &vmv1alpha1.VirtualMachineList{}
+	if err := c.Client.List(context.Background(), vmList, &client.ListOptions{
+		Namespace: nsxSA.Namespace,
+	}); err != nil {
+		log.Error(err, "Failed to list VirtualMachines for NSXServiceAccount", "namespace", nsxSA.Namespace)
+		return
+	}
+
+	for i := range vmList.Items {
+		vm := &vmList.Items[i]
+		if !belongsToVKSCluster(vm) {
+			continue
+		}
+		log.Debug("Enqueuing VM from NSXServiceAccount event", "namespace", vm.Namespace, "name", vm.Name)
+		key, _ := keyFunc(vm)
+		c.inventoryObjectQueue.Add(inventory.InventoryKey{
+			InventoryType: inventory.InventoryVirtualMachine,
+			ExternalId:    vm.Status.InstanceUUID,
+			Key:           key,
+		})
+	}
+}