Add support for "Isolated" AccessMode in Subnet configuration

[zhengxiexie]

✨ What's Changed

• Add support for 'Isolated' AccessMode in Subnet configuration
• Update kubebuilder validation enum to include new 'Isolated' option
• Add test coverage for mapping NSX Subnet with Isolated AccessMode
• Clean up minor code formatting and documentation improvements

🎯 Motivation

The current Subnet API only supports three AccessMode types: 'Private', 'Public', and 'PrivateTGW'. There is a need to support 'Isolated' AccessMode for specific network segmentation requirements where subnets need to be completely isolated from other network segments.

This enhancement provides:

• Enhanced Network Segmentation: Allow creation of completely isolated subnets
• Infrastructure Alignment: Match NSX-T capabilities for isolated networking
• Flexibility: Give users more options for network design patterns

✅ Testing

• All existing unit tests pass
• New test case added for 'Isolated' AccessMode mapping
• Updated controller tests to use proper type casting for AccessMode
• Validates that NSX Subnet with 'Isolated' access mode correctly maps to v1alpha1.Subnet

🔧 Technical Details

Before: Subnet AccessMode was limited to three options

// +kubebuilder:validation:Enum=Private;Public;PrivateTGW

After: Added 'Isolated' as a fourth option

// +kubebuilder:validation:Enum=Private;Public;PrivateTGW;Isolated
const AccessModeIsolated string = "Isolated"

Key Changes:

1. Added AccessModeIsolated constant in subnet_types.go
2. Updated kubebuilder validation enum to include 'Isolated'
3. Enhanced NSX-to-CR mapping logic to handle 'Isolated' AccessMode
4. Added comprehensive test coverage for the new AccessMode
5. Fixed minor formatting issues and improved documentation clarity

📎 Additional Notes

• Zero risk change - purely additive functionality
• Maintains backward compatibility with existing AccessMode values
• No API breaking changes
• Aligns with NSX-T subnet isolation capabilities
• Ready for immediate use in network configurations requiring isolation

[zhengxiexie]

/e2e

[codecov-commenter]

Codecov Report

❌ Patch coverage is 76.47059% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.81%. Comparing base (051011c) to head (3518096).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/nsx/services/subnet/subnet.go	62.50%	3 Missing ⚠️
pkg/nsx/services/subnet/builder.go	66.66%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1183   +/-   ##
=======================================
  Coverage   73.81%   73.81%           
=======================================
  Files         141      141           
  Lines       22350    22359    +9     
=======================================
+ Hits        16498    16505    +7     
- Misses       4829     4830    +1     
- Partials     1023     1024    +1     

Flag	Coverage Δ
unit-tests	73.81% <76.47%> (+<0.01%)	⬆️

Files with missing lines	Coverage Δ
pkg/util/utils.go	85.29% <100.00%> (+0.09%)	⬆️
pkg/nsx/services/subnet/builder.go	91.17% <66.66%> (ø)
pkg/nsx/services/subnet/subnet.go	74.00% <62.50%> (+0.50%)	⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[zhengxiexie]

/e2e

[zhengxiexie]

/e2e

[zhengxiexie]

/e23

[zhengxiexie]

/e2e

[zhengxiexie]

/e2e

[zhengxiexie]

/e2e

[zhengxiexie]

/e2e

[yanjunz97]

Suggested change

	// DHCPServerAdditionalConfig Additional DHCP server config for a VPC Subnet.
	// DHCPServerAdditionalConfig defines the additional DHCP server config for a VPC Subnet.

[zhengxiexie]

fixed

[yanjunz97]

Not introduced in this PR, would you think we can use AccessMode instead of string here?

[zhengxiexie]

ok, updated

[yanjunz97]

Could you run make manifests and make generate-api-docs?

[zhengxiexie]

done

[yanjunz97]

Would you know if we would like to support Isolated AccessMode for Subnetset?

[zhengxiexie]

I think so

[zhengxiexie]

/e2e

[zhengxiexie]

/e2e

[zhengxiexie]

/e2e

[yanjunz97]

LGTM

[lxiaopei]

from NSX API doc https://github-vcf.devops.broadcom.net/vcf/nsx/blob/nsx-main/mp/policy/policy-api/src/main/resources/api_spec/root/nsx-policy/policy-vpc-subnet.yml#L219. "Isolated - VPC Subnet is not accessible from other VPC Subnets within the same VPC.
Please make use of Private, Private_TGW or Public Subnets with connectivity_state as DISCONNECTED to have a disconnected Subnet.
This value is deprecated." "Isolated" access mode is deprecated, I think we do not need to add new access mode "Isolated" in Subnet CR, but indicate user to use "connectivity_state as DISCONNECTED". WDYT?