From af6d1661e59ac5c26ab6d4acff7a2960d9034583 Mon Sep 17 00:00:00 2001 From: Rafael Fonseca Date: Thu, 20 Jun 2024 14:56:23 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B:=20elbv2:=20skip=20adding=20securi?= =?UTF-8?q?ty=20groups=20to=20NLB=20in=20secret=20regions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Secret regions don't yet support security groups for NLBs. --- pkg/cloud/services/elb/loadbalancer.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/cloud/services/elb/loadbalancer.go b/pkg/cloud/services/elb/loadbalancer.go index c7beb578d4..3fa047a522 100644 --- a/pkg/cloud/services/elb/loadbalancer.go +++ b/pkg/cloud/services/elb/loadbalancer.go @@ -64,6 +64,9 @@ const apiServerTargetGroupPrefix = "apiserver-target-" // listeners. const additionalTargetGroupPrefix = "additional-listener-" +// cantAttachSGToNLBRegions is a set of regions that do not support Security Groups in NLBs. +var cantAttachSGToNLBRegions = sets.New("us-iso-east-1", "us-iso-west-1", "us-isob-east-1") + // ReconcileLoadbalancers reconciles the load balancers for the given cluster. func (s *Service) ReconcileLoadbalancers() error { s.scope.Debug("Reconciling load balancers") @@ -395,6 +398,11 @@ func (s *Service) createLB(spec *infrav1.LoadBalancer, lbSpec *infrav1.AWSLoadBa input.IpAddressType = aws.String("dualstack") } + // TODO: remove when security groups on NLBs is supported in all regions. + if cantAttachSGToNLBRegions.Has(s.scope.Region()) { + input.SecurityGroups = nil + } + // Allocate custom addresses (Elastic IP) to internet-facing Load Balancers, when defined. // Custom, or BYO, Public IPv4 Pool need to be created prior install, and the Pool ID must be // set in the VpcSpec.ElasticIPPool.PublicIPv4Pool to allow Elastic IP be consumed from