Add support for NLB security group

[oliviassss]

Issue

Description

Added support of Security Groups for NLB. With the security group support, it is feasible to forward the NLB traffic to the EC2 instances without having to open up the instances for global access. For backwards compatibility, NLBs created without the security groups or the existing NLBs will continue to provide the legacy behavior. Similar to ALB, there are two sets of SGs for NLB - frontend and backend SGs:

• The controller will automatically create and attach the frontend SG to the NLB provisioned, and add rules for inbound-cidrs and listen-ports. If the users want to attach existing frontend SG to the NLB, they can explicitly specify via annotation service.beta.kubernetes.io/aws-load-balancer-security-groups
• The Backend SG controls the traffic between the NLB and the EC2 instances/ENIs, and it gets attached to the NLB similar to the frontend SG. In case of auto-generated frontend SG, the controller automatically adds Node/ENI SG rules to allow egress traffic from the NLB. The rule management is disabled by default if the frontend SG is specified via annotation. We provide an annotation to configure controller’s management on backend SG rules regardless of the frontend SG type service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: true/false

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[codecov-commenter]

Codecov Report

Patch coverage: 93.77% and project coverage change: +0.90% 🎉

Comparison is base (05e6f58) 54.71% compared to head (09b6030) 55.61%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3329      +/-   ##
==========================================
+ Coverage   54.71%   55.61%   +0.90%     
==========================================
  Files         148      149       +1     
  Lines        8626     8819     +193     
==========================================
+ Hits         4720     4905     +185     
- Misses       3574     3577       +3     
- Partials      332      337       +5     

Files Changed	Coverage Δ
pkg/config/feature_gates.go	0.00% <0.00%> (ø)
pkg/networking/backend_sg_provider.go	92.45% <78.57%> (-1.39%)	⬇️
pkg/service/model_build_load_balancer.go	84.22% <85.07%> (+2.07%)	⬆️
pkg/service/model_build_managed_sg.go	94.11% <94.11%> (ø)
pkg/service/model_build_target_group.go	87.58% <100.00%> (+1.90%)	⬆️
pkg/service/model_builder.go	91.34% <100.00%> (+3.04%)	⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[M00nF1sh]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: M00nF1sh, oliviassss

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [M00nF1sh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[johngmyers]

This is not a terribly helpful error message, as it gives no clue as to what is conflicting. Better to say something like "existing NLB has security groups attached, but NLBSecurityGroup feature gate is disabled"

[johngmyers]

Should it not be possible to add a SG to an existing NLB by explicitly setting the relevant annotation?

[johngmyers]

wantError should be more specific: it should be a string and should assert.EqualError()

[johngmyers]

Should probably be doing asserts on the returned value of backendSGRequired