Add per-namespace VPC filtering for VPC-only controllers

cmd/main.go

@@ -113,7 +113,7 @@ func init() {
 
 func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 	// Generate webhook certificates and start refreshing webhook certificates periodically
-	if cf.CoeConfig.EnableVPCNetwork {
+	if config.HasVPCNamespaces() {
 		if err := pkgutil.GenerateWebhookCerts(); err != nil {
 			log.Error(err, "Failed to generate webhook certificates")
 			os.Exit(1)
@@ -123,7 +123,7 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 	}
 
 	// Initialize and start the system health reporter
-	if cf.CoeConfig.EnableVPCNetwork && cf.EnableInventory && cf.CoeConfig.EnableSha {
+	if config.HasVPCNamespaces() && cf.EnableInventory && cf.CoeConfig.EnableSha {
 		health.Start(nsxClient, cf, mgr.GetClient())
 	}
 
@@ -136,7 +136,7 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 
 	checkLicense(nsxClient, cf.LicenseValidationInterval)
 
-	if cf.K8sConfig.EnableRestore && cf.CoeConfig.EnableVPCNetwork {
+	if cf.K8sConfig.EnableRestore && config.HasVPCNamespaces() {
 		var err error
 		restoreMode, err = pkgutil.CompareNSXRestore(mgr.GetClient(), nsxClient)
 		if err != nil {
@@ -153,7 +153,7 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 	var hookServer webhook.Server
 	var subnetSetReconcile *subnetset.SubnetSetReconciler
 
-	if cf.CoeConfig.EnableVPCNetwork {
+	if config.HasVPCNamespaces() {
 		// Check NSX version for VPC networking mode
 		if !commonService.NSXClient.NSXCheckVersion(nsx.VPC) {
 			log.Error(nil, "VPC mode cannot be enabled if NSX version is lower than 4.1.1")
@@ -284,6 +284,21 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 		log.Error(err, "Failed to update Pod labels")
 		panic(err)
 	}
+
+	// Watch for mixed-mode state changes (e.g. T1-only → T1+VPC when the migration starts).
+	// If the state changes, exit so the operator restarts with the new configuration
+	// — this is simpler and safer than hot-initializing VPC services after startup.
+	config.SetMixedModeNamespaceRefreshReader(mgr.GetClient())
+	go func() {
+		ticker := time.NewTicker(30 * time.Second)
+		defer ticker.Stop()
+		for range ticker.C {
+			if config.RefreshMixedModeState(context.Background()) {
+				log.Info("Mixed-mode state changed; restarting NSX Operator to pick up new configuration")
+				os.Exit(0)
+			}
+		}
+	}()
 }
 
 func electMaster(mgr manager.Manager, nsxClient *nsx.Client) {
@@ -329,6 +344,12 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := config.InitMixedMode(context.Background(), cfg, cf.CoeConfig.EnableVPCNetwork); err != nil {
+		log.Error(err, "Failed to initialize mixed mode state")
+		os.Exit(1)
+	}
+	util.SetHasVPCNamespacesFunc(config.HasVPCNamespaces)
+
 	if cf.HAEnabled() {
 		go electMaster(mgr, nsxClient)
 	} else {