🐛: elbv2: skip adding security groups to NLB in secret regions

[r4f4]

Secret regions don't yet support security groups for NLBs.

What type of PR is this?

/kind bug

What this PR does / why we need it:

C2S/SC2S regions do not support security groups on Network load balancers.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged): Fixes #5029

Special notes for your reviewer:

Checklist:

• [X] squashed commits
• [ ] includes documentation
• [X] includes emojis
• [ ] adds unit tests
• [ ] adds or updates e2e tests

Release note:

Fix: do not attach security groups for Network Load Balancers in secret regions.

[k8s-ci-robot]

Hi @r4f4. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[r4f4]

Openshift e2e results for the public cloud are good (no breakage): https://github.com/openshift/installer/pull/8636

I'm trying to get this changed tested on a secret region.

[richardcase]

/ok-to-test

[r4f4]

/test ?

[k8s-ci-robot]

@r4f4: The following commands are available to trigger required jobs:

• /test pull-cluster-api-provider-aws-build
• /test pull-cluster-api-provider-aws-build-docker
• /test pull-cluster-api-provider-aws-test
• /test pull-cluster-api-provider-aws-verify

The following commands are available to trigger optional jobs:

• /test pull-cluster-api-provider-aws-apidiff-main
• /test pull-cluster-api-provider-aws-e2e
• /test pull-cluster-api-provider-aws-e2e-blocking
• /test pull-cluster-api-provider-aws-e2e-clusterclass
• /test pull-cluster-api-provider-aws-e2e-conformance
• /test pull-cluster-api-provider-aws-e2e-conformance-with-ci-artifacts
• /test pull-cluster-api-provider-aws-e2e-eks
• /test pull-cluster-api-provider-aws-e2e-eks-gc
• /test pull-cluster-api-provider-aws-e2e-eks-testing

Use /test all to run the following jobs that were automatically triggered:

• pull-cluster-api-provider-aws-apidiff-main
• pull-cluster-api-provider-aws-build
• pull-cluster-api-provider-aws-build-docker
• pull-cluster-api-provider-aws-test
• pull-cluster-api-provider-aws-verify

In response to [this](https://github.com/kubernetes-sigs/cluster-api-provider-aws/pull/5030#issuecomment-2200975112): >/test ? Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[r4f4]

Update:

• add a fix for info message with a spurious "%s"
• print a different message for regions that do not support NLB security groups. loadbalancer.go:1799: Pre-existing NLB %s without security groups, cannot reconcile security groups might be confusing on those cases.

[r4f4]

/test pull-cluster-api-provider-aws-e2e-blocking

[dmc5179]

I'm an OCP SSA supporting the customers who use the us-iso and us-isob regions. In earlier testing of the new CAPA changes I discovered that, while AWS commercial supports NLBs with security groups, the us-iso and us-isob regions do not. If the openshift-installer attempts to add security groups to an NLB in the iso regions it will fail and error out. I tested this proposed code change in the us-iso regions and found that the openshift-installer successfully provisions the NLBs without security groups.

[r4f4]

Now that we've tested it in a secret cloud: /assign @richardcase

[damdo]

/assign @richardcase @nrb Would you mind stamping you approval here? TY

[nrb]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nrb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/main/OWNERS)~~ [nrb] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment