nutanix-cloud-native
diff --git a/‎api/v1alpha1/aws_node_types.go
Lines changed: 32 additions & 3 deletions b/‎api/v1alpha1/aws_node_types.go
Lines changed: 32 additions & 3 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go
Lines changed: 48 additions & 0 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go
Lines changed: 48 additions & 0 deletions
diff --git a/‎charts/capi-runtime-extensions/templates/csi/aws-ebs/manifests/aws-ebs-csi-configmap.yaml
Lines changed: 17 additions & 9 deletions b/‎charts/capi-runtime-extensions/templates/csi/aws-ebs/manifests/aws-ebs-csi-configmap.yaml
Lines changed: 17 additions & 9 deletions
diff --git a/‎docs/content/customization/aws/security-groups.md
Lines changed: 74 additions & 0 deletions b/‎docs/content/customization/aws/security-groups.md
Lines changed: 74 additions & 0 deletions
diff --git a/‎pkg/handlers/aws/mutation/metapatch_handler.go
Lines changed: 3 additions & 0 deletions b/‎pkg/handlers/aws/mutation/metapatch_handler.go
Lines changed: 3 additions & 0 deletions
@@ -19,6 +19,34 @@ type AWSNodeSpec struct {
 	// If both AMI ID and AMI lookup arguments are provided then AMI ID takes precedence
 	//+optional
 	AMISpec *AMISpec `json:"ami,omitempty"`
+
+	//+optional
+	AdditionalSecurityGroups AdditionalSecurityGroup `json:"additionalSecurityGroups,omitempty"`
+}
+
+type AdditionalSecurityGroup []SecurityGroup
+
+type SecurityGroup struct {
+	// ID is the id of the security group
+	// +optional
+	ID *string `json:"id,omitempty"`
+}
+
+func (AdditionalSecurityGroup) VariableSchema() clusterv1.VariableSchema {
+	return clusterv1.VariableSchema{
+		OpenAPIV3Schema: clusterv1.JSONSchemaProps{
+			Type: "array",
+			Items: &clusterv1.JSONSchemaProps{
+				Type: "object",
+				Properties: map[string]clusterv1.JSONSchemaProps{
+					"id": {
+						Type:        "string",
+						Description: "Security group ID to add for the cluster Machines",
+					},
+				},
+			},
+		},
+	}
 }
 
 func (AWSNodeSpec) VariableSchema() clusterv1.VariableSchema {
@@ -27,9 +55,10 @@ func (AWSNodeSpec) VariableSchema() clusterv1.VariableSchema {
 			Description: "AWS Node configuration",
 			Type:        "object",
 			Properties: map[string]clusterv1.JSONSchemaProps{
-				"iamInstanceProfile": IAMInstanceProfile("").VariableSchema().OpenAPIV3Schema,
-				"instanceType":       InstanceType("").VariableSchema().OpenAPIV3Schema,
-				"ami":                AMISpec{}.VariableSchema().OpenAPIV3Schema,
+				"iamInstanceProfile":       IAMInstanceProfile("").VariableSchema().OpenAPIV3Schema,
+				"instanceType":             InstanceType("").VariableSchema().OpenAPIV3Schema,
+				"ami":                      AMISpec{}.VariableSchema().OpenAPIV3Schema,
+				"additionalSecurityGroups": AdditionalSecurityGroup{}.VariableSchema().OpenAPIV3Schema,
 			},
 		},
 	}
 
@@ -1630,7 +1630,7 @@ data:
                   key: endpoint
                   name: aws-meta
                   optional: true
-            image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.23.1
+            image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.23.2
             imagePullPolicy: IfNotPresent
             livenessProbe:
               failureThreshold: 5
@@ -1675,7 +1675,7 @@ data:
             env:
             - name: ADDRESS
               value: /var/lib/csi/sockets/pluginproxy/csi.sock
-            image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v3.5.0-eks-1-28-4
+            image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v3.6.0-eks-1-28-7
             imagePullPolicy: IfNotPresent
             name: csi-provisioner
             resources:
@@ -1697,7 +1697,7 @@ data:
             env:
             - name: ADDRESS
               value: /var/lib/csi/sockets/pluginproxy/csi.sock
-            image: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher:v4.3.0-eks-1-28-4
+            image: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher:v4.4.0-eks-1-28-7
             imagePullPolicy: IfNotPresent
             name: csi-attacher
             resources:
@@ -1719,7 +1719,7 @@ data:
             env:
             - name: ADDRESS
               value: /var/lib/csi/sockets/pluginproxy/csi.sock
-            image: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter:v6.2.2-eks-1-28-4
+            image: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter:v6.3.0-eks-1-28-7
             imagePullPolicy: IfNotPresent
             name: csi-snapshotter
             resources:
@@ -1742,7 +1742,7 @@ data:
             env:
             - name: ADDRESS
               value: /var/lib/csi/sockets/pluginproxy/csi.sock
-            image: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer:v1.8.0-eks-1-28-4
+            image: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer:v1.9.0-eks-1-28-7
             imagePullPolicy: IfNotPresent
             name: csi-resizer
             resources:
@@ -1759,7 +1759,7 @@ data:
               name: socket-dir
           - args:
             - --csi-address=/csi/csi.sock
-            image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.10.0-eks-1-28-4
+            image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.11.0-eks-1-28-7
             imagePullPolicy: IfNotPresent
             name: liveness-probe
             resources:
@@ -1891,6 +1891,14 @@ data:
                     operator: NotIn
                     values:
                     - fargate
+                  - key: node.kubernetes.io/instance-type
+                    operator: NotIn
+                    values:
+                    - a1.medium
+                    - a1.large
+                    - a1.xlarge
+                    - a1.2xlarge
+                    - a1.4xlarge
           containers:
           - args:
             - node
@@ -1904,7 +1912,7 @@ data:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
-            image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.23.1
+            image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.23.2
             imagePullPolicy: IfNotPresent
             lifecycle:
               preStop:
@@ -1951,7 +1959,7 @@ data:
               value: /csi/csi.sock
             - name: DRIVER_REG_SOCK_PATH
               value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock
-            image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.8.0-eks-1-28-4
+            image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.9.0-eks-1-28-7
             imagePullPolicy: IfNotPresent
             livenessProbe:
               exec:
@@ -1981,7 +1989,7 @@ data:
               name: probe-dir
           - args:
             - --csi-address=/csi/csi.sock
-            image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.10.0-eks-1-28-4
+            image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.11.0-eks-1-28-7
             imagePullPolicy: IfNotPresent
             name: liveness-probe
             resources:
 
@@ -0,0 +1,74 @@
++++
+title = "AWS Additional Security Group Spec"
++++
+
+The AWS additional security group customization allows the user to specify security groups to the created machines.
+The customization can be applied to both control plane and nodepool machines.
+This customization will be available when the
+[provider-specific cluster configuration patch]({{< ref "..">}}) is included in the `ClusterClass`.
+
+## Example
+
+To specify addiitonal security groups for all control plane and nodepools, use the following configuration:
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: clusterConfig
+        value:
+          controlPlane:
+            aws:
+              additionalSecurityGroups:
+              - id: "sg-0fcfece738d3211b8"
+      - name: workerConfig
+        value:
+          aws:
+            additionalSecurityGroups:
+            - id: "sg-0fcfece738d3211b8"
+```
+
+We can further customize individual MachineDeployments by using the overrides field with the following configuration:
+
+```yaml
+spec:
+  topology:
+    # ...
+    workers:
+      machineDeployments:
+        - class: default-worker
+          name: md-0
+          variables:
+            overrides:
+              - name: workerConfig
+                value:
+                  aws:
+                    additionalSecurityGroups:
+                    - id: "sg-0fcfece738d3211b8"
+```
+
+Applying this configuration will result in the following value being set:
+
+- control-plane `AWSMachineTemplate`:
+
+  - ```yaml
+    spec:
+      template:
+        spec:
+          additionalSecurityGroups:
+          - id: sg-0fcfece738d3211b8
+    ```
+
+- worker `AWSMachineTemplate`:
+
+  - ```yaml
+    spec:
+      template:
+        spec:
+          additionalSecurityGroups:
+          - id: sg-0fcfece738d3211b8
+    ```
@@ -14,6 +14,7 @@ import (
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/aws/mutation/instancetype"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/aws/mutation/network"
 	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/aws/mutation/region"
+	"github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/aws/mutation/securitygroups"
 	genericmutation "github.com/d2iq-labs/capi-runtime-extensions/pkg/handlers/generic/mutation"
 )
 
@@ -27,6 +28,7 @@ func MetaPatchHandler(mgr manager.Manager) handlers.Named {
 			iaminstanceprofile.NewControlPlanePatch(),
 			instancetype.NewControlPlanePatch(),
 			ami.NewControlPlanePatch(),
+			securitygroups.NewControlPlanePatch(),
 		},
 		genericmutation.MetaMutators(mgr)...,
 	)
@@ -43,6 +45,7 @@ func MetaWorkerPatchHandler() handlers.Named {
 		iaminstanceprofile.NewWorkerPatch(),
 		instancetype.NewWorkerPatch(),
 		ami.NewWorkerPatch(),
+		securitygroups.NewWorkerPatch(),
 	}
 
 	return mutation.NewMetaGeneratePatchesHandler(