svc/nlb/sg/validations: ensure annotations matches NLB SG

Ensure annotation matches feature NLB with Security Groups by preventing
standard controller BYO SG annotations due existing controller
limitations.

Author: mtulio

pkg/providers/v1/aws_validations.go

@@ -53,10 +53,26 @@ func ensureLoadBalancerValidation(v *awsValidationInput) error {
 func validateServiceAnnotations(v *awsValidationInput) error {
 	isNLB := isNLB(v.annotations)
 
+	// ServiceAnnotationLoadBalancerSecurityGroups
+	// NLB only: ensure the BYO annotations are not supported and return an error.
+	// FIXME: the BYO SG for NLB implementation is blocked by https://github.com/kubernetes/cloud-provider-aws/pull/1209
+	if _, hasBYOAnnotation := v.annotations[ServiceAnnotationLoadBalancerSecurityGroups]; hasBYOAnnotation {
+		if isNLB {
+			return fmt.Errorf("BYO security group annotation %q is not supported by NLB", ServiceAnnotationLoadBalancerSecurityGroups)
+		}
+	}
+
+	// ServiceAnnotationLoadBalancerExtraSecurityGroups
+	if _, hasExtraBYOAnnotation := v.annotations[ServiceAnnotationLoadBalancerExtraSecurityGroups]; hasExtraBYOAnnotation {
+		if isNLB {
+			return fmt.Errorf("BYO extra security group annotation %q is not supported by NLB", ServiceAnnotationLoadBalancerExtraSecurityGroups)
+		}
+	}
+
 	// ServiceAnnotationLoadBalancerTargetGroupAttributes
 	if _, present := v.annotations[ServiceAnnotationLoadBalancerTargetGroupAttributes]; present {
 		if !isNLB {
-			return fmt.Errorf("target group annotations attribute is only supported for NLB")
+			return fmt.Errorf("target group annotations attributes are only supported for NLB")
 		}
 		if err := validateServiceAnnotationTargetGroupAttributes(v); err != nil {
 			return err