Extend NamespaceNetworkConfiguration with NSX VPC networking support by ihgann · Pull Request #53 · vmware-tanzu/net-operator-api

ihgann · 2026-05-22T22:46:07Z

Introduces VPC as a first-class network provider in NamespaceNetworkConfiguration alongside the existing vSphere Distributed (VDS) provider.

New types

SharedSubnetDefault: string enum (True/False) marking a shared Subnet as the default network for Pod or VM workloads.
SharedSubnet: references a pre-created NSX Subnet by policy path, with an optional DNS-subdomain name, and podDefault/vmDefault markers.
AutoCreateVPCConfig: groups the parameters needed to have a namespace-scoped VPC created automatically — nsxProject, vpcConnectivityProfile, and privateCIDRs.
VPCConfig: top-level VPC spec supporting two mutually exclusive modes:
1. Pre-created VPC mode — set vpc to reference an existing VPC.
2. Auto-create VPC mode — set autoCreateConfig to provision a new VPC. Both modes support sharedSubnets and defaultSubnetSize.

CEL validation

vpc and autoCreateConfig are mutually exclusive.
At most one sharedSubnet may have podDefault=True; at most one may have vmDefault=True.
vpc must be set whenever any sharedSubnet declares podDefault=True or vmDefault=True, because those Subnets must reside within the Namespace's VPC to back resources such as load balancer virtual services and static routes.
NamespaceNetworkSpec now accepts type=vpc and requires vpcConfig to carry either vpc or autoCreateConfig.

NamespaceNetworkSpec.vpcConfig

New optional field; when set, delegates network provisioning to NSX Operator, which constructs a VPCNetworkConfiguration from this spec and orchestrates the NSX Operator APIs to manage the Namespace's VPC resources.

Documentation

podDefault/vmDefault godocs describe the vpc pre-requisite and the fallback behaviour (PrivateTGW IPBlock → no default for Pods; privateCIDRs → no default for VMs) when no shared Subnet is designated as the default.
sharedSubnets godoc notes that an in-use Subnet cannot be removed and describes the same default-network fallback path.

Deepcopy stubs regenerated for all new types.

Introduces VPC as a first-class network provider in NamespaceNetworkConfiguration alongside the existing vSphere Distributed (VDS) provider. New types - SharedSubnetDefault: string enum (True/False) marking a shared Subnet as the default network for Pod or VM workloads. - SharedSubnet: references a pre-created NSX Subnet by policy path, with an optional DNS-subdomain name, and podDefault/vmDefault markers. - AutoCreateVPCConfig: groups the parameters needed to have a namespace-scoped VPC created automatically — nsxProject, vpcConnectivityProfile, and privateCIDRs. - VPCConfig: top-level VPC spec supporting two mutually exclusive modes: 1. Pre-created VPC mode — set vpc to reference an existing VPC. 2. Auto-create VPC mode — set autoCreateConfig to provision a new VPC. Both modes support sharedSubnets and defaultSubnetSize. CEL validation - vpc and autoCreateConfig are mutually exclusive. - At most one sharedSubnet may have podDefault=True; at most one may have vmDefault=True. - vpc must be set whenever any sharedSubnet declares podDefault=True or vmDefault=True, because those Subnets must reside within the Namespace's VPC to back resources such as load balancer virtual services and static routes. - NamespaceNetworkSpec now accepts type=vpc and requires vpcConfig to carry either vpc or autoCreateConfig. NamespaceNetworkSpec.vpcConfig - New optional field; when set, delegates network provisioning to NSX Operator, which constructs a VPCNetworkConfiguration from this spec and orchestrates the NSX Operator APIs to manage the Namespace's VPC resources. Documentation - podDefault/vmDefault godocs describe the vpc pre-requisite and the fallback behaviour (PrivateTGW IPBlock → no default for Pods; privateCIDRs → no default for VMs) when no shared Subnet is designated as the default. - sharedSubnets godoc notes that an in-use Subnet cannot be removed and describes the same default-network fallback path. Deepcopy stubs regenerated for all new types. Co-authored-by: Cursor <cursoragent@cursor.com>

ihgann · 2026-05-22T22:47:46Z

+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:items:MaxLength=64
+	// +listType=atomic
+	PrivateCIDRs []string `json:"privateCIDRs,omitempty"`


In VPCNetworkConfiguration, this is PrivateIPs. Is this indeed CIDRs, or can it also be range?

from NSX API, this is CIDR.

ihgann · 2026-05-22T22:48:08Z

 	// +optional
 	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:MaxLength=2048
+	// +kubebuilder:validation:MaxLength=1024


ihgann · 2026-05-22T22:48:25Z

-// +kubebuilder:validation:XValidation:rule="self.type == 'vsphere-distributed'",message="only vsphere-distributed is currently supported; nsx-tier1 and vpc will be introduced in a future version"
+// +kubebuilder:validation:XValidation:rule="self.type == 'vsphere-distributed' || self.type == 'vpc'",message="only vsphere-distributed and vpc are currently supported; nsx-tier1 will be introduced in a future version"
 // +kubebuilder:validation:XValidation:rule="self.type == 'vsphere-distributed' ? (has(self.vsphereDistributedConfig.networks) && self.vsphereDistributedConfig.networks.size() > 0) : true",message="vsphereDistributedConfig.networks must contain at least one entry when type is vsphere-distributed"
+// +kubebuilder:validation:XValidation:rule="self.type == 'vpc' ? (has(self.vpcConfig) && (self.vpcConfig.vpc != ” || has(self.vpcConfig.autoCreateConfig))) : true",message="vpcConfig must have either vpc (pre-created VPC mode) or autoCreateConfig (auto-create VPC mode) set when type is vpc"


Fix CEL ” -> ''

ihgann · 2026-05-22T22:48:50Z

+	// A Subnet that is currently in use cannot be removed. If all shared Subnets
+	// acting as a Pod or VM default are removed, the default network falls back
+	// to Subnets generated from the Namespace VPC's available address space. If
+	// no such space exists, the affected workload type is not assigned a default
+	// network.


Review with XiaoPei.

lxiaopei · 2026-05-25T02:47:10Z

+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:items:MaxLength=64
+	// +listType=atomic
+	PrivateCIDRs []string `json:"privateCIDRs,omitempty"`


from NSX API, this is CIDR.

lxiaopei · 2026-05-25T02:48:57Z

+	// +optional
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=2048
+	NSXProject string `json:"nsxProject,omitempty"`


current Namespaces.vmodl, for namespaces , it inherits "project" and "vpc connectivity profile" from Supervisor, for the CRD introduced for Supervisor 2.0, do we define these in Supervisor and Namespace CRD?

ihgann commented May 22, 2026

View reviewed changes

lxiaopei reviewed May 25, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Extend NamespaceNetworkConfiguration with NSX VPC networking support#53

Extend NamespaceNetworkConfiguration with NSX VPC networking support#53
ihgann wants to merge 1 commit into
vmware-tanzu:masterfrom
ihgann:topic/ihgann/nnc-vpc

ihgann commented May 22, 2026

Uh oh!

ihgann May 22, 2026

Uh oh!

lxiaopei May 25, 2026

Uh oh!

ihgann May 22, 2026

Uh oh!

ihgann May 22, 2026

Uh oh!

ihgann May 22, 2026

Uh oh!

lxiaopei May 25, 2026

Uh oh!

lxiaopei May 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

ihgann commented May 22, 2026

Uh oh!

ihgann May 22, 2026

Choose a reason for hiding this comment

Uh oh!

lxiaopei May 25, 2026

Choose a reason for hiding this comment

Uh oh!

ihgann May 22, 2026

Choose a reason for hiding this comment

Uh oh!

ihgann May 22, 2026

Choose a reason for hiding this comment

Uh oh!

ihgann May 22, 2026

Choose a reason for hiding this comment

Uh oh!

lxiaopei May 25, 2026

Choose a reason for hiding this comment

Uh oh!

lxiaopei May 25, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants