I think we should have MinItems=0.
MinItems=1 would enforce that customers specify at least 1 SG name. What if they want to specify only SG IDs?

We need to enforce that both lists combined is not empty though.

ya thats a good call out, let me see what we can do here

The non-empty check I believe is checked on CreateNetworkInterface. Do you have different place in mind?

Yeah, it would be good to include in CRD validation, let me see how to do this with kubebuilder.

This is not required, you can use getMockWrapper in helper_test.go here and pass in any mock VPC ID.

We added this here because need to to expose the internal cache for testing.

I'm not sure caching is a good idea here.

Consider the scenario where a security group policy includes sg-example-name corresponding to sg-1111. This is added to securityGroupNameToIdMap, and some pod A is launched with sg-1111 attached to the branchENI. Now, customer deleted sg-1111 and created sg-2222 with the same name sg-example-name. But the map still points to old sg-1111 which no longer exists. So any pods launched after would be stuck in creation process as branchENI cannot be created(due to missing SG).

Need to evaluate if we always have to do an API call during pod creation or we can consider periodically refreshing the cache (TTL caching).

I think a TTL caching make sense given (at least from our side) how rare we change delete security group and recreate with the same name. The cache was added to reduce the number of calls we hit EC2 API with.

Any reason why this is moved from pkg/utils/helper.go?

There is a circular dependency which required moving a few things out of utils such as this and the httpclient code