From 544305d489ceca3fcd6aac4dada800556e8d0cd5 Mon Sep 17 00:00:00 2001
From: Jeff Nelson <jdnelson@amazon.com>
Date: Tue, 20 Feb 2024 19:23:12 +0000
Subject: [PATCH] skip adding IPs to trunk ENI; enable Custom Networking before
 SGPP

---
 pkg/ipamd/datastore/data_store.go |  4 ++--
 pkg/ipamd/ipamd.go                | 15 ++++++++++-----
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/pkg/ipamd/datastore/data_store.go b/pkg/ipamd/datastore/data_store.go
index ee4c5d1e9e..ba49b98bc3 100644
--- a/pkg/ipamd/datastore/data_store.go
+++ b/pkg/ipamd/datastore/data_store.go
@@ -978,8 +978,8 @@ func (ds *DataStore) GetENINeedsIP(maxIPperENI int, skipPrimary bool) *ENI {
 	ds.lock.Lock()
 	defer ds.lock.Unlock()
 	for _, eni := range ds.eniPool {
-		if skipPrimary && eni.IsPrimary {
-			ds.log.Debugf("Skip the primary ENI for need IP check")
+		if (skipPrimary && eni.IsPrimary) || eni.IsTrunk {
+			ds.log.Debugf("Skip needs IP check for trunk ENI of primary ENI when Custom Networking is enabled")
 			continue
 		}
 		if len(eni.AvailableIPv4Cidrs) < maxIPperENI {
diff --git a/pkg/ipamd/ipamd.go b/pkg/ipamd/ipamd.go
index 3689bb052b..f3f06cac57 100644
--- a/pkg/ipamd/ipamd.go
+++ b/pkg/ipamd/ipamd.go
@@ -455,12 +455,12 @@ func (c *IPAMContext) nodeInit() error {
 		return err
 	}
 
-	if c.enablePodENI {
-		// Try to patch CNINode with Security Groups for Pods feature.
-		c.tryEnableSecurityGroupsForPods(ctx)
-	}
-
 	if c.enableIPv6 {
+		// Security Groups for Pods cannot be enabled for IPv4 at this point, as Custom Networking must be enabled first.
+		if c.enablePodENI {
+			// Try to patch CNINode with Security Groups for Pods feature.
+			c.tryEnableSecurityGroupsForPods(ctx)
+		}
 		// We will not support upgrading/converting an existing IPv4 cluster to operate in IPv6 mode. So, we will always
 		// start with a clean slate in IPv6 mode. We also do not have to deal with dynamic update of Prefix Delegation
 		// feature in IPv6 mode as we do not support (yet) a non-PD v6 option. In addition, we do not support custom
@@ -540,6 +540,11 @@ func (c *IPAMContext) nodeInit() error {
 		}
 	}
 
+	// Now that Custom Networking is (potentially) enabled, Security Groups for Pods can be enabled for IPv4 nodes.
+	if c.enablePodENI {
+		c.tryEnableSecurityGroupsForPods(ctx)
+	}
+
 	// On node init, check if datastore pool needs to be increased. If so, attach CIDRs from existing ENIs and attach new ENIs.
 	datastorePoolTooLow, _ := c.isDatastorePoolTooLow()
 	if !c.disableENIProvisioning && datastorePoolTooLow {