Epic Goal

The ask here is to provide support for BYO security groups for NLB on CCM. 

This is a follow up of EP https://issues.redhat.com/browse/SPLAT-2187 

Additional information:

• Security Group is supported by NLBs recently (2023):
  • https://aws.amazon.com/blogs/containers/network-load-balancers-now-support-security-groups/ 
  • https://aws.amazon.com/about-aws/whats-new/2023/08/network-load-balancer-supports-security-groups/ 
• One can enable security groups on your NLB by using AWS Load Balancer controller version 2.6.0 or later.
• Cloud Controller Manager (CCM) does not support Service load balancer type NLB with security groups 

Why is this important?

The plan is to support BYO SG on Service type-loadBalancer on NLBs through annotations, so users if wants to bypass the default managed security group support (SPLAT-2137).

The plan is to support only in CCM, no Cluster Ingress Operator support is targeted to this Epic.

https://github.com/openshift/enhancements/pull/1802 

Scenarios

1. ...

Acceptance Criteria

• Service type-loadBalancer NLB can be created with BYO SG set on annotations, so managed SG will be skipped (when enabled through cloud-config)
•  

Dependencies (internal and external)

1. Internal:
   1. Cloud Infra team (CCM code changes and review)
2. External:
   1. Upstream CCM project to accept the feature of opt-in provision a service LB type NLB with security groups

Previous Work (Optional):

1. …

Open questions:

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>