User Story:
 

As a cluster admin, I want the AWS Cloud Controller Manager to automatically manage Network Load Balancer security groups under TechPreview, so that NLB security groups are properly configured without manual intervention.

Description

Modify HyperShift's CCM controller to inject NLBSecurityGroupMode = "Managed" into the AWS cloud-config when the hosted cluster has TechPreviewNoUpgrade feature set enabled.

This enables the AWS CCM to automatically manage security groups for Network Load Balancers, reducing manual configuration and ensuring proper security group setup.

Implementation location:

• File: control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/config.go
• Add configuration when featureSet == configv1.TechPreviewNoUpgrade

Acceptance Criteria

• Test that when HostedCluster has featureSet: TechPreviewNoUpgrade, the CCM cloud-config includes NLBSecurityGroupMode = "Managed"
• Test that when HostedCluster does NOT have TechPreview enabled, the cloud-config does NOT include NLBSecurityGroupMode
• Verify that no duplicate NLBSecurityGroupMode entries are added to cloud-config
• Verify that CCM pods restart and pick up the new configuration when TechPreview is enabled
• Test that existing clusters without TechPreview continue to work unchanged

Additional Context

• Spike work: https://github.com/mtulio/hypershift/commit/b1770c6ea8c646346fd38c919c70600ed170d6db
• Out of scope: GA promotion (separate story), documentation (separate story)

Additional Fields:

• Security: Red Hat Employee (required)
• Labels: ai-generated-jira (required)
• customfield_12319940: openshift-4.21
• parent: {"key": "SPLAT-2553"}
• components: HyperShift / ROSA