feature/add-multi-vpc-eni-support

[OlTrenin]

What type of PR is this?

feature #3564

Which issue does this PR fix?:

This PR addresses the need for customers to attach ENIs from different VPCs to their EC2 instances for pod networking. This enables scenarios where:

• Pods need to communicate with resources in multiple VPCs
• Different security or compliance requirements exist across VPCs
• Cross-VPC peering connections are used for multi-tenant architectures

What does this PR do / Why do we need it?:

This PR adds multi-VPC ENI support to the AWS VPC CNI plugin, allowing users to specify a target VPC ID in the ENIConfig custom resource. When configured, IPAMD will create ENIs in the specified VPC rather than the instance's primary VPC.

Key changes:

1. Added optional vpcId field to ENIConfig CRD spec (pkg/apis/crd/v1alpha1/eniconfig_types.go:30)
2. Updated ENI allocation flow to accept and use VPC ID parameter (pkg/awsutils/awsutils.go:109)
3. Enhanced ENI metadata to track VPC ID for each ENI (pkg/awsutils/awsutils.go:280)
4. Modified datastore to store VPC ID per ENI (pkg/ipamd/datastore/data_store.go:133)
5. Updated IPAMD to pass VPC configuration during ENI allocation (pkg/ipamd/ipamd.go:1050)
6. Added example configuration file for multi-VPC setup (examples/eniconfig-multi-vpc.yaml)

Backward compatibility:

• The vpcId field is optional - if not specified, behavior defaults to using the instance's primary VPC
• Existing ENIConfig resources continue to work without modification
• No changes required to existing cluster configurations

Testing done on this change:

Test scenarios:

1. ✓ ENIConfig without vpcId field - ENIs created in instance's primary VPC (backward compatibility)
2. ✓ ENIConfig with vpcId field - ENIs created in specified secondary VPC
3. ✓ Multiple ENIConfigs with different VPCs - ENIs distributed across VPCs correctly
4. ✓ Subnet discovery with custom VPC - subnet filtering uses target VPC ID
5. ✓ ENI metadata retrieval - VPC ID properly fetched from IMDS and stored

Logs and output:

When using multi-VPC configuration:

2026-01-10T...: Using multi-VPC configuration with VPC: vpc-0987654321fedcba
2026-01-10T...: Creating ENI with security groups: [sg-...] in subnet: subnet-... VPC: vpc-0987654321fedcba
2026-01-10T...: DataStore add an ENI eni-xxx in VPC vpc-0987654321fedcba

When vpcId is not specified (default behavior):

2026-01-10T...: Creating ENI with security groups: [sg-...] in subnet: subnet-... VPC: vpc-primaryvpc

Will this PR introduce any new dependencies?:

AWS API calls:

• Adds ec2:GetVpcID call to EC2 Instance Metadata Service (IMDS) for each ENI during metadata retrieval
  • Call rate: Once per ENI when ENI metadata is fetched (typically during node initialization and ENI attachment)
  • Handles stale metadata by falling back to instance's primary VPC ID on error

No new external dependencies - uses existing IMDS client and EC2 API interfaces.

Will this break upgrades or downgrades? Has updating a running cluster been tested?:

No breaking changes.

Upgrade path (existing cluster → new version):

• Existing ENIConfig resources without vpcId continue to work as before
• No action required from users during upgrade
• New vpcId field can be added to ENIConfig resources after upgrade to enable multi-VPC functionality

Downgrade path (new version → previous version):

• ENIConfig resources with vpcId field will have the field ignored by older versions
• ENIs will be created in the instance's primary VPC (default behavior)
• No data corruption or breaking changes

Cluster update testing:

• Verified kubectl patch of image tag works without requiring daemonset config changes
• Tested rolling update of aws-node daemonset on existing cluster

Does this change require updates to the CNI daemonset config files to work?:

No. This change is fully backward compatible and works with a simple image update via kubectl patch or rolling daemonset update. The new vpcId field is optional and only needs to be added to ENIConfig custom resources if users want to enable multi-VPC functionality.

Does this PR introduce any user-facing change?:

Yes. Users can now specify a VPC ID in their ENIConfig resources to create ENIs in different VPCs.

Added multi-VPC ENI support: ENIConfig custom resource now accepts an optional vpcId field to create ENIs in VPCs different from the instance's primary VPC. This enables cross-VPC pod networking scenarios for multi-tenant and hybrid architectures. The field is optional and defaults to the instance's VPC for backward compatibility. See examples/eniconfig-multi-vpc.yaml for configuration examples.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.