Add per-namespace VPC filtering for VPC-only controllers

Introduce config.IsVPCNamespace() to decide whether a namespace is
served by VPC-only controllers: in mixed mode it checks the
namespace annotation for ProviderNSXVPC; in legacy mode (when
per-namespace providers are not supported) it uses the cluster-wide
HasVPCNamespaces flag set by InitMixedMode from EnableVPCNetwork.

controllers/common: add VPCNamespacePredicate and register it with
WithEventFilter on VPC-only controllers so non-VPC namespace
creates and updates are dropped before the work queue; Delete events
stay allowed for cleanup

controllers/namespace: Reconcile skips non-VPC namespaces

Testing done:
https://jenkins-vcf-wcp-dev.devops.broadcom.net/job/dev-integ-nsxt/5639/
https://jenkins-vcf-wcp-dev.devops.broadcom.net/job/dev-nsxvpc/16738/

Author: heypnus

pkg/config/mixed_mode.go

@@ -317,3 +317,15 @@ func IsPerNamespaceProvidersSupported() bool {
 	defer stateMu.RUnlock()
 	return perNamespaceProvidersSupported != nil && *perNamespaceProvidersSupported
 }
+
+// IsVPCNamespace reports whether ns should be treated as a VPC namespace.
+// In legacy mode (pre-9.2, per-namespace providers not supported) the whole
+// cluster runs a single provider, so the cluster-level HasVPCNamespaces flag
+// (derived from EnableVPCNetwork) is returned regardless of the namespace.
+// In mixed mode, non-empty VPCNetworkConfigAnnotation marks a VPC namespace.
+func IsVPCNamespace(ns *v1.Namespace) bool {
+	if !IsPerNamespaceProvidersSupported() {
+		return HasVPCNamespaces()
+	}
+	return namespaceHasVPCNetworkConfig(ns)
+}

pkg/config/mixed_mode_test.go

@@ -541,6 +541,50 @@ func TestRefreshMixedModeState(t *testing.T) {
 	})
 }
 
+func TestIsVPCNamespace(t *testing.T) {
+	t.Run("nil namespace", func(t *testing.T) {
+		resetMixedModeState()
+		assert.False(t, IsVPCNamespace(nil))
+	})
+
+	t.Run("per-namespace on vpc annotation", func(t *testing.T) {
+		resetMixedModeState()
+		supported := true
+		stateMu.Lock()
+		perNamespaceProvidersSupported = &supported
+		stateMu.Unlock()
+		ns := makeNamespace("x", "default")
+		assert.True(t, IsVPCNamespace(ns))
+	})
+
+	t.Run("per-namespace on no annotation counts as T1", func(t *testing.T) {
+		resetMixedModeState()
+		supported := true
+		stateMu.Lock()
+		perNamespaceProvidersSupported = &supported
+		stateMu.Unlock()
+		ns := makeNamespace("y", "")
+		assert.False(t, IsVPCNamespace(ns))
+	})
+
+	t.Run("per-namespace off IsVPCNamespace uses cluster flags", func(t *testing.T) {
+		resetMixedModeState()
+		supported := false
+		stateMu.Lock()
+		perNamespaceProvidersSupported = &supported
+		hasVPCNamespaces = true
+		hasT1Namespaces = false
+		stateMu.Unlock()
+		ns := makeNamespace("any", "")
+		assert.True(t, IsVPCNamespace(ns))
+		stateMu.Lock()
+		hasVPCNamespaces = false
+		hasT1Namespaces = true
+		stateMu.Unlock()
+		assert.False(t, IsVPCNamespace(ns))
+	})
+}
+
 // ---------- Getters and SetMixedModeStateForTest ----------
 
 func TestGettersAndSetMixedModeStateForTest(t *testing.T) {

pkg/controllers/common/namespace_filter.go

@@ -0,0 +1,69 @@
+/* Copyright © 2026 Broadcom, Inc. All Rights Reserved.
+   SPDX-License-Identifier: Apache-2.0 */
+
+package common
+
+import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+
+	"github.com/vmware-tanzu/nsx-operator/pkg/config"
+)
+
+// isVPCNamespaceByName fetches the Namespace by name and calls config.IsVPCNamespace.
+// Returns true when the namespace cannot be fetched (transient error or already
+// gone) so the Reconcile loop can decide what to do.
+func isVPCNamespaceByName(c client.Reader, ns string) bool {
+	namespace := &corev1.Namespace{}
+	if err := c.Get(context.Background(), types.NamespacedName{Name: ns}, namespace); err != nil {
+		if !apierrors.IsNotFound(err) {
+			log.Error(err, "Failed to get Namespace for VPC predicate; allowing event through", "namespace", ns)
+		}
+		return true
+	}
+	return config.IsVPCNamespace(namespace)
+}
+
+// VPCNamespacePredicate returns a predicate that filters events for VPC-only
+// controllers.  Events are passed when config.IsVPCNamespace reports true for
+// the resource's namespace.
+//
+// Behaviour by event type:
+//   - Create / Update / Generic: allowed only for VPC namespaces.
+//   - Delete: always allowed so the controller can clean up any existing NSX
+//     resources even if the namespace is already gone.
+//
+// The namespace check is skipped for cluster-scoped resources (empty namespace),
+// which are always allowed through.
+func VPCNamespacePredicate(c client.Reader) predicate.Funcs {
+	isVPCNs := func(ns string) bool {
+		if ns == "" {
+			// Cluster-scoped resource: no per-namespace filtering.
+			return true
+		}
+		return isVPCNamespaceByName(c, ns)
+	}
+
+	return predicate.Funcs{
+		CreateFunc: func(e event.CreateEvent) bool {
+			return isVPCNs(e.Object.GetNamespace())
+		},
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			return isVPCNs(e.ObjectNew.GetNamespace())
+		},
+		// Always allow Delete events so the controller can clean up NSX
+		// resources regardless of the current namespace network metadata.
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			return true
+		},
+		GenericFunc: func(e event.GenericEvent) bool {
+			return isVPCNs(e.Object.GetNamespace())
+		},
+	}
+}

pkg/controllers/ipaddressallocation/ipaddressallocation_controller.go

@@ -132,6 +132,7 @@ func (r *IPAddressAllocationReconciler) handleDeletion(req ctrl.Request, obj *v1
 func (r *IPAddressAllocationReconciler) setupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&v1alpha1.IPAddressAllocation{}).
+		WithEventFilter(common.VPCNamespacePredicate(r.Client)).
 		WithOptions(
 			controller.Options{
 				MaxConcurrentReconciles: common.NumReconcile(),

pkg/controllers/namespace/namespace_controller.go

@@ -253,8 +253,17 @@ func (r *NamespaceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		return common.ResultNormal, client.IgnoreNotFound(err)
 	}
 
-	// processing create/update event
 	ns := obj.GetName()
+
+	// Only process VPC namespaces.  Migration destination is VPC strictly, so a non-VPC
+	// namespace never carries VPC infra and can safely be skipped on both create
+	// and delete.
+	if !config.IsVPCNamespace(obj) {
+		log.Info("Skipping Namespace: not a VPC namespace", "Namespace", ns)
+		return common.ResultNormal, nil
+	}
+
+	// processing create/update event
 	if obj.ObjectMeta.DeletionTimestamp.IsZero() {
 		metrics.CounterInc(r.NSXConfig, metrics.ControllerUpdateTotal, common.MetricResTypeNamespace)
 		log.Info("Start processing Namespace create/update event", "Namespace", ns)

pkg/controllers/namespace/namespace_controller_test.go

@@ -128,6 +128,12 @@ func TestGetDefaultNetworkConfigName(t *testing.T) {
 }
 
 func TestNamespaceReconciler_Reconcile(t *testing.T) {
+	// Simulate a legacy VPC cluster (EnableVPCNetwork=true, per-namespace
+	// providers not supported) so that all namespaces are treated as VPC
+	// namespaces by IsVPCNamespace.
+	config.SetMixedModeStateForTest(false, true)
+	t.Cleanup(func() { config.SetMixedModeStateForTest(false, false) })
+
 	nc := v1alpha1.VPCNetworkConfiguration{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        "fake-VPCNetworkConfig",
@@ -374,11 +380,11 @@ func TestCreateDefaultSubnetSet(t *testing.T) {
 			expectedSubnetSets: 1, // VM
 			networkStack:       v1alpha1.FullStackVPC,
 			nameSpaceType:      ctlcommon.SystemNs,
+			// Stub NSXCheckVersion so getSystemNsDefaultSize does not call a nil cluster (empty Client in createNameSpaceReconciler).
 			setupMocks: func(r *NamespaceReconciler) *gomonkey.Patches {
-				patches := gomonkey.ApplyPrivateMethod(reflect.TypeOf(r), "getSystemNsDefaultSize", func(_ *NamespaceReconciler) int {
-					return 8
+				return gomonkey.ApplyMethod(reflect.TypeOf(&nsx.Client{}), "NSXCheckVersion", func(_ *nsx.Client, _ int) bool {
+					return true // treat as NSX >= 9.1 => MinSubnetSizeV91 (8)
 				})
-				return patches
 			},
 		},
 		{

pkg/controllers/networkinfo/networkinfo_controller.go

@@ -469,6 +469,7 @@ func (r *NetworkInfoReconciler) getNSXLBSNATIP(nc *v1alpha1.VPCNetworkConfigurat
 func (r *NetworkInfoReconciler) setupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&v1alpha1.NetworkInfo{}).
+		WithEventFilter(common.VPCNamespacePredicate(r.Client)).
 		WithOptions(
 			controller.Options{
 				MaxConcurrentReconciles: common.NumReconcile(),

pkg/controllers/networkpolicy/networkpolicy_controller.go

@@ -140,6 +140,7 @@ func (r *NetworkPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 func (r *NetworkPolicyReconciler) setupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&networkingv1.NetworkPolicy{}).
+		WithEventFilter(common.VPCNamespacePredicate(r.Client)).
 		Watches(
 			&v1.Pod{},
 			&EnqueueRequestForPod{

pkg/controllers/pod/pod_controller.go

@@ -257,6 +257,7 @@ func (r *PodReconciler) setupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&v1.Pod{}).
 		WithEventFilter(PredicateFuncsPod).
+		WithEventFilter(common.VPCNamespacePredicate(r.Client)).
 		WithOptions(
 			controller.Options{
 				MaxConcurrentReconciles: common.NumReconcile(),

pkg/controllers/service/service_lb_controller.go

@@ -121,6 +121,7 @@ func (r *ServiceLbReconciler) setServiceLbStatus(ctx context.Context, lbService
 func (r *ServiceLbReconciler) setupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&v1.Service{}).
+		WithEventFilter(common.VPCNamespacePredicate(r.Client)).
 		WithOptions(
 			controller.Options{
 				MaxConcurrentReconciles: common.NumReconcile(),