SecurityPolicy: per-mode service instances for T1/VPC mixed-mode#1413
Open
heypnus wants to merge 3 commits into
Open
SecurityPolicy: per-mode service instances for T1/VPC mixed-mode#1413heypnus wants to merge 3 commits into
heypnus wants to merge 3 commits into
Conversation
Replace the global boolean cf.CoeConfig.EnableVPCNetwork with namespace-driven mixed-mode state: HasT1Namespaces and HasVPCNamespaces. New module: pkg/config/mixed_mode.go - Checks SupervisorCapabilities CRD for supports_per_namespace_network_providers capability. - If supported: scans namespace annotations `nsx.vmware.com/vpc_network_config` to derive HasVPCNamespaces and HasT1Namespaces. - If not supported (legacy/pre-9.2): falls back to EnableVPCNetwork config flag. This enables NSX Operator to run in mixed mode where both T1 and VPC namespaces coexist, as required for VDS->VPC and T1->VPC migration. NOTE: This patch only ensures that the existing pure T1 or pure VPC envs preserve existing behaviours. The full functionality will be implemented in the follow-up patches. Testing done: https://jenkins-vcf-wcp-dev.devops.broadcom.net/job/dev-integ-nsxt/5639/ https://jenkins-vcf-wcp-dev.devops.broadcom.net/job/dev-nsxvpc/16738/
Introduce config.IsVPCNamespace() to decide whether a namespace is served by VPC-only controllers: in mixed mode it checks the namespace annotation for ProviderNSXVPC; in legacy mode (when per-namespace providers are not supported) it uses the cluster-wide HasVPCNamespaces flag set by InitMixedMode from EnableVPCNetwork. controllers/common: add VPCNamespacePredicate and register it with WithEventFilter on VPC-only controllers so non-VPC namespace creates and updates are dropped before the work queue; Delete events stay allowed for cleanup controllers/namespace: Reconcile skips non-VPC namespaces Testing done: https://jenkins-vcf-wcp-dev.devops.broadcom.net/job/dev-integ-nsxt/5639/ https://jenkins-vcf-wcp-dev.devops.broadcom.net/job/dev-nsxvpc/16738/
Replace the single SecurityPolicyService singleton with a per-mode map keyed by VPCMode (bool). Each SecurityPolicyReconciler now carries an isVPCMode field that determines which CRD it watches and which service instance it uses. In mixed-mode clusters, two independent reconcilers are registered — one for T1 namespaces, one for VPC namespaces.
heypnus
force-pushed
the
m1-security-policy
branch
from
2b7c07f to
dcd01f8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace the single SecurityPolicyService singleton with a per-mode map
keyed by VPCMode (bool). Each SecurityPolicyReconciler now carries an
isVPCMode field that determines which CRD it watches and which service
instance it uses. In mixed-mode clusters, two independent reconcilers
are registered — one for T1 namespaces, one for VPC namespaces.