Fix security group name handling in NodeENI controller

johnlam90 · johnlam90 · commit 7f41f3403f98 · 2025-05-06T12:16:36.000-05:00
diff --git a/deploy/samples/security_group_both_example.yaml b/deploy/samples/security_group_both_example.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.aws/v1alpha1
+kind: NodeENI
+metadata:
+  name: multus-eni-sg-both
+spec:
+  nodeSelector:
+    ng: multi-eni
+  subnetID: subnet-0f59b4f14737be9ad
+  securityGroupIDs:
+  - sg-05da196f3314d4af8
+  securityGroupNames:
+  - multus-security-group
+  deviceIndex: 2
+  deleteOnTermination: true
+  description: "Multus ENI using both security group ID and name"
diff --git a/pkg/controller/nodeeni_controller.go b/pkg/controller/nodeeni_controller.go
@@ -559,21 +559,39 @@ func (r *NodeENIReconciler) createENI(ctx context.Context, nodeENI *networkingv1
 	}
 
 	// Determine the security group IDs to use
-	securityGroupIDs := nodeENI.Spec.SecurityGroupIDs
-	if len(securityGroupIDs) == 0 && len(nodeENI.Spec.SecurityGroupNames) > 0 {
-		// Look up security group IDs by name
+	var securityGroupIDs []string
+
+	// First, use any explicitly provided security group IDs
+	if len(nodeENI.Spec.SecurityGroupIDs) > 0 {
+		securityGroupIDs = append(securityGroupIDs, nodeENI.Spec.SecurityGroupIDs...)
+	}
+
+	// Then, look up any security group names and add those IDs
+	if len(nodeENI.Spec.SecurityGroupNames) > 0 {
 		for _, sgName := range nodeENI.Spec.SecurityGroupNames {
 			sgID, err := r.getSecurityGroupIDByName(ctx, sgName)
 			if err != nil {
 				return "", fmt.Errorf("failed to get security group ID from name %s: %v", sgName, err)
 			}
 			r.Log.Info("Resolved security group name to ID", "securityGroupName", sgName, "securityGroupID", sgID)
-			securityGroupIDs = append(securityGroupIDs, sgID)
+
+			// Check if this ID is already in the list (to avoid duplicates)
+			isDuplicate := false
+			for _, existingID := range securityGroupIDs {
+				if existingID == sgID {
+					isDuplicate = true
+					break
+				}
+			}
+
+			if !isDuplicate {
+				securityGroupIDs = append(securityGroupIDs, sgID)
+			}
 		}
 	}
 
 	if len(securityGroupIDs) == 0 {
-		return "", fmt.Errorf("neither securityGroupIDs nor securityGroupNames provided")
+		return "", fmt.Errorf("neither securityGroupIDs nor securityGroupNames provided, or all lookups failed")
 	}
 
 	input := &ec2.CreateNetworkInterfaceInput{
