DNM/SPLAT-2113: spike aws/CIO/IngressNLBSecurityGroup feature gate

features.md

@@ -8,6 +8,7 @@
 | ClusterVersionOperatorConfiguration| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | |  |
 | DualReplica| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | |  |
 | Example2| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | |  |
+| IngressNLBSecurityGroup| | | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | NewOLMCatalogdAPIV1Metas| | | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span>  |
 | NewOLMOwnSingleNamespace| | | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span>  |
 | NewOLMPreflightPermissionChecks| | | | <span style="background-color: #519450">Enabled</span> | | <span style="background-color: #519450">Enabled</span>  |

features/features.go

@@ -835,4 +835,12 @@ var (
 									enhancementPR("https://github.com/openshift/enhancements/pull/1748").
 									enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
 									mustRegister()
+
+	FeatureGateIngressNLBSecurityGroup = newFeatureGate("IngressNLBSecurityGroup").
+						reportProblemsToJiraComponent("Networking/router").
+						contactPerson("miciah").
+						productScope(kubernetes).
+						enhancementPR("https://github.com/kubernetes/enhancements/issues/TBD").
+						enableIn(configv1.TechPreviewNoUpgrade).
+						mustRegister()
 )

openapi/openapi.json

@@ -26468,6 +26468,18 @@
           },
           "x-kubernetes-list-type": "atomic"
         },
+        "managedSecurityGroup": {
+          "description": "managedSecurityGroup specifies whether the service load balancer should create and manage security groups for the Network Load Balancer.",
+          "type": "boolean"
+        },
+        "securityGroups": {
+          "description": "securityGroups is a list of IDs or Names of Security Groups (SG) instances that are assigned to the Network Load Balancer. The following restrictions apply:\n\nOnly a single Security Group can be added (??). An SG can be allocated to only a single IngressController.\n\nSecurityGroups *AWSSecurityGroups `json:\"securityGroups\"`",
+          "type": "array",
+          "items": {
+            "type": "string",
+            "default": ""
+          }
+        },
         "subnets": {
           "description": "subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10.\n\nIn order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values.\n\nWhen omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object.",
           "$ref": "#/definitions/com.github.openshift.api.operator.v1.AWSSubnets"

operator/v1/types_ingress.go

@@ -682,6 +682,13 @@ type AWSSubnetID string
 // +kubebuilder:validation:XValidation:rule=`!self.startsWith('subnet-')`,message="subnet name cannot start with 'subnet-'"
 type AWSSubnetName string
 
+// AWSSecurityGroup is a reference to an AWS security group name or ID.
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=256
+// +kubebuilder:validation:XValidation:rule=`!self.contains(',')`,message="security group name cannot contain a comma"
+// +kubebuilder:validation:XValidation:rule=`self.startsWith('sg-') ? self.matches('^sg-[0-9A-Za-z]{17}$') : true`,message="security group follow the pattern '^sg-[0-9A-Za-z]{17}$' if it starts with 'sg-'"
+type AWSSecurityGroup string
+
 // GCPLoadBalancerParameters provides configuration settings that are
 // specific to GCP load balancers.
 type GCPLoadBalancerParameters struct {
@@ -842,7 +849,26 @@ type AWSNetworkLoadBalancerParameters struct {
 	// +listType=atomic
 	// +kubebuilder:validation:XValidation:rule=`self.all(x, self.exists_one(y, x == y))`,message="eipAllocations cannot contain duplicates"
 	// +kubebuilder:validation:MaxItems=10
-	EIPAllocations []EIPAllocation `json:"eipAllocations"`
+	EIPAllocations []EIPAllocation `json:"eipAllocations,omitempty"`
+
+	// securityGroups is a list of IDs or Names of Security Groups (SG) instances that
+	// are assigned to the Network Load Balancer.
+	// The following restrictions apply:
+	//
+	// Only a single Security Group can be added (??).
+	// An SG can be allocated to only a single IngressController.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=IngressNLBSecurityGroup
+	// SecurityGroups *AWSSecurityGroups `json:"securityGroups"`
+	SecurityGroups []AWSSecurityGroup `json:"securityGroups,omitempty"`
+
+	// managedSecurityGroup specifies whether the service load balancer should create
+	// and manage security groups for the Network Load Balancer.
+	//
+	// +optional
+	// +openshift:enable:FeatureGate=IngressNLBSecurityGroup
+	ManagedSecurityGroup bool `json:"managedSecurityGroup,omitempty"`
 }
 
 // EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment.