vmware-tanzu · Atish-iaf · Apr 17, 2026 · Apr 21, 2026
diff --git a/build/yaml/crd/legacy/nsx.vmware.com_nsxserviceaccounts.yaml b/build/yaml/crd/legacy/nsx.vmware.com_nsxserviceaccounts.yaml
@@ -43,6 +43,15 @@ spec:
                 description: EnableCertRotation enables cert rotation feature in this
                   cluster when NSXT >=4.1.3
                 type: boolean
+              proxy:
+                default: SupervisorManagementProxy
+                description: |-
+                  Proxy specifies the proxy type for NSX connectivity
+                  Defaults to SupervisorManagementProxy if not specified
+                enum:
+                - VMCIProxy
+                - SupervisorManagementProxy
+                type: string
               vpcName:
                 type: string
             type: object

diff --git a/docs/ref/apis/legacy.md b/docs/ref/apis/legacy.md
@@ -206,6 +206,24 @@ _Appears in:_
 | `failed` |  |
 
 
+#### NSXServiceAccountProxyType
+
+_Underlying type:_ _string_
+
+NSXServiceAccountProxyType defines the proxy type used for NSX connectivity
+
+_Validation:_
+- Enum: [VMCIProxy SupervisorManagementProxy]
+
+_Appears in:_
+- [NSXServiceAccountSpec](#nsxserviceaccountspec)
+
+| Field | Description |
+| --- | --- |
+| `VMCIProxy` |  |
+| `SupervisorManagementProxy` |  |
+
+
 #### NSXServiceAccountSpec
 
 
@@ -221,6 +239,7 @@ _Appears in:_
 | --- | --- | --- | --- |
 | `vpcName` _string_ |  |  |  |
 | `enableCertRotation` _boolean_ | EnableCertRotation enables cert rotation feature in this cluster when NSXT >=4.1.3 |  |  |
+| `proxy` _[NSXServiceAccountProxyType](#nsxserviceaccountproxytype)_ | Proxy specifies the proxy type for NSX connectivity<br />Defaults to SupervisorManagementProxy if not specified | SupervisorManagementProxy | Enum: [VMCIProxy SupervisorManagementProxy] <br /> |
 
 
 #### NSXServiceAccountStatus

diff --git a/pkg/apis/legacy/v1alpha1/nsxserviceaccount_types.go b/pkg/apis/legacy/v1alpha1/nsxserviceaccount_types.go
@@ -7,11 +7,24 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// NSXServiceAccountProxyType defines the proxy type used for NSX connectivity
+// +kubebuilder:validation:Enum=VMCIProxy;SupervisorManagementProxy
+type NSXServiceAccountProxyType string
+
+const (
+	VMCIProxy                 NSXServiceAccountProxyType = "VMCIProxy"
+	SupervisorManagementProxy NSXServiceAccountProxyType = "SupervisorManagementProxy"
+)
+
 // NSXServiceAccountSpec defines the desired state of NSXServiceAccount
 type NSXServiceAccountSpec struct {
 	VPCName string `json:"vpcName,omitempty"`
 	// EnableCertRotation enables cert rotation feature in this cluster when NSXT >=4.1.3
 	EnableCertRotation bool `json:"enableCertRotation,omitempty"`
+	// Proxy specifies the proxy type for NSX connectivity
+	// Defaults to SupervisorManagementProxy if not specified
+	// +kubebuilder:default=SupervisorManagementProxy
+	Proxy NSXServiceAccountProxyType `json:"proxy,omitempty"`
 }
 
 type NSXProxyEndpointAddress struct {

diff --git a/pkg/controllers/nsxserviceaccount/nsxserviceaccount_controller.go b/pkg/controllers/nsxserviceaccount/nsxserviceaccount_controller.go
@@ -255,6 +255,12 @@ func (r *NSXServiceAccountReconciler) serviceMapFunc(ctx context.Context, _ clie
 	}
 
 	for _, nsxserviceaccount := range nsxServiceAccountList.Items {
+		// Only enqueue NSXServiceAccounts that use SupervisorManagementProxy
+		// Skip VMCIProxy since it uses hardcoded addresses (127.0.0.1) and is not affected by Service IP changes
+		if nsxserviceaccount.Spec.Proxy == nsxvmwarecomv1alpha1.VMCIProxy {
+			continue
+		}
+
 		requests = append(requests, reconcile.Request{
 			NamespacedName: types.NamespacedName{
 				Namespace: nsxserviceaccount.GetNamespace(),

diff --git a/pkg/nsx/services/nsxserviceaccount/cluster.go b/pkg/nsx/services/nsxserviceaccount/cluster.go
@@ -33,10 +33,12 @@ import (
 )
 
 const (
-	siteId             = "default"
-	enforcementpointId = "default"
-	PortRestAPI        = "rest-api"
-	PortNSXRPCFwdProxy = "nsx-rpc-fwd-proxy"
+	siteId                = "default"
+	enforcementpointId    = "default"
+	PortRestAPI           = "rest-api"
+	PortNumRestAPI        = 10091
+	PortNSXRPCFwdProxy    = "nsx-rpc-fwd-proxy"
+	PortNumNSXRPCFwdProxy = 10092
 	// #nosec G101: false positive triggered by variable name which includes "secret"
 	SecretSuffix   = "-nsx-cert"
 	SecretCAName   = "ca.crt"
@@ -112,7 +114,7 @@ func (s *NSXServiceAccountService) CreateOrUpdateNSXServiceAccount(ctx context.C
 	vpcPath := fmt.Sprintf("/orgs/default/projects/%s/vpcs/%s", util.NormalizeId(project), vpcName)
 
 	// get proxy
-	proxyEndpoints, err := s.getProxyEndpoints(ctx)
+	proxyEndpoints, err := s.getProxyEndpoints(ctx, obj)
 	if err != nil {
 		return err
 	}
@@ -306,11 +308,30 @@ func (s *NSXServiceAccountService) createPIAndCCP(normalizedClusterName string,
 	return clusterId, nil
 }
 
-func (s *NSXServiceAccountService) getProxyEndpoints(ctx context.Context) (v1alpha1.NSXProxyEndpoint, error) {
+func (s *NSXServiceAccountService) getProxyType(obj *v1alpha1.NSXServiceAccount) v1alpha1.NSXServiceAccountProxyType {
+	if obj.Spec.Proxy != "" {
+		return obj.Spec.Proxy
+	}
+	return v1alpha1.SupervisorManagementProxy
+}
+
+func (s *NSXServiceAccountService) getProxyEndpoints(ctx context.Context, obj *v1alpha1.NSXServiceAccount) (v1alpha1.NSXProxyEndpoint, error) {
+	proxyType := s.getProxyType(obj)
+
+	if proxyType == v1alpha1.VMCIProxy {
+		return v1alpha1.NSXProxyEndpoint{
+			Addresses: []v1alpha1.NSXProxyEndpointAddress{{IP: "127.0.0.1"}},
+			Ports: []v1alpha1.NSXProxyEndpointPort{
+				{Name: PortRestAPI, Port: PortNumRestAPI, Protocol: v1alpha1.NSXProxyProtocolTCP},
+				{Name: PortNSXRPCFwdProxy, Port: PortNumNSXRPCFwdProxy, Protocol: v1alpha1.NSXProxyProtocolTCP},
+			},
+		}, nil
+	}
+
 	proxyEndpoints := v1alpha1.NSXProxyEndpoint{}
 	proxies := &v1.ServiceList{}
 	if err := s.Client.List(ctx, proxies, client.MatchingLabels(proxyLabels)); err != nil {
-		return v1alpha1.NSXProxyEndpoint{}, err
+		return proxyEndpoints, err
 	}
 	for _, proxy := range proxies.Items {
 		if proxy.Spec.Type == v1.ServiceTypeLoadBalancer {
@@ -650,7 +671,7 @@ func (s *NSXServiceAccountService) GetNSXRestoreStatus() (*v1alpha1.NSXRestoreSt
 }
 
 func (s *NSXServiceAccountService) UpdateProxyEndpointsIfNeeded(ctx context.Context, obj *v1alpha1.NSXServiceAccount) error {
-	proxyEndpoints, err := s.getProxyEndpoints(ctx)
+	proxyEndpoints, err := s.getProxyEndpoints(ctx, obj)
 	if err != nil {
 		return err
 	}