add webhook proxy test

config/helm/aws-node-termination-handler/README.md

@@ -84,6 +84,3 @@ Parameter | Description | Default
 `procUptimeFile` | (Used for Testing) Specify the uptime file | `/proc/uptime`
 `securityContext.runAsUserID` | User ID to run the container | `1000`
 `securityContext.runAsGroupID` | Group ID to run the container | `1000` 
-
-
-

config/helm/ec2-metadata-test-proxy/templates/clusterrole.yaml

@@ -9,29 +9,4 @@ rules:
     - nodes
   verbs:
     - get
-    - patch
-    - update
-- apiGroups:
-    - ""
-  resources:
-    - pods
-  verbs:
-    - list
-- apiGroups:
-    - ""
-  resources:
-    - pods/eviction
-  verbs:
-    - create
-- apiGroups:
-    - extensions
-  resources:
-    - daemonsets
-  verbs:
-    - get
-- apiGroups:
-    - apps
-  resources:
-    - daemonsets
-  verbs:
-    - get
+

config/helm/ec2-metadata-test-proxy/templates/daemonset.yaml

@@ -37,6 +37,3 @@ spec:
         - name: ENABLE_IMDS_V2
           value: {{ .Values.ec2MetadataTestProxy.enableIMDSV2 | quote }}
 {{- end -}}
-
-
-

config/helm/ec2-metadata-test-proxy/templates/regular-pod-test.yaml

@@ -27,6 +27,3 @@ spec:
         - name: PORT
           value: {{ .Values.regularPodTest.port | quote }}
 {{- end -}}
-
-
-

config/helm/ec2-metadata-test-proxy/templates/service.yaml

@@ -7,4 +7,4 @@ spec:
     app: {{ .Values.ec2MetadataTestProxy.label }}
   ports:
   - port: {{ .Values.ec2MetadataTestProxy.port }}
-    protocol: TCP
+    protocol: TCP

config/helm/squid/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

config/helm/squid/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+name: squid
+description: A Helm chart for Squid
+version: 0.0.1
+appVersion: 1.0.0
+home: https://github.com/aws/aws-node-termination-handler
+icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
+sources:
+  - https://github.com/aws/aws-node-termination-handler/test/squid

config/helm/squid/templates/_helpers.tpl

@@ -0,0 +1,57 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "squid.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "squid.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "squid.labels" -}}
+app.kubernetes.io/name: {{ include "squid.name" . }}
+helm.sh/chart: {{ include "squid.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+k8s-app: squid
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "squid.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "squid.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "squid.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

config/helm/squid/templates/clusterrole.yaml

@@ -0,0 +1,11 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "squid.fullname" . }}
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - nodes
+  verbs:
+    - get

config/helm/squid/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "squid.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "squid.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "squid.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io

config/helm/squid/templates/daemonset.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ .Values.squid.label }}
+  labels:
+    app: {{ .Values.squid.label }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Values.squid.label }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.squid.label }}
+    spec:
+      serviceAccountName: {{ template "squid.serviceAccountName" . }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+      - name: {{ .Values.squid.label }}
+        image: {{ .Values.squid.image.repository }}:{{ .Values.squid.image.tag }}
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: {{ .Values.squid.port }}
+          hostPort: {{ .Values.squid.port }}
+        volumeMounts:
+          - name: squid-config
+            mountPath: /etc/squid
+            readOnly: true
+      volumes:
+        - name: squid-config
+          configMap: 
+            name: {{ .Values.squid.configMap }}
+

config/helm/squid/templates/psp.yaml

@@ -0,0 +1,60 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "squid.fullname" . }}
+  labels:
+{{ include "squid.labels" . | indent 4 }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+spec:
+  privileged: false
+  hostIPC: false
+  hostNetwork: true
+  hostPorts:
+    - min: 1024
+      max: 65535
+  hostPID: false
+  readOnlyRootFilesystem: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities:
+    - '*'
+  fsGroup:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+    - '*'
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "squid.fullname" . }}-psp
+  labels:
+{{ include "squid.labels" . | indent 4 }}
+rules:
+  - apiGroups: ['policy']
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+      - {{ template "squid.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "squid.fullname" . }}-psp
+  labels:
+{{ include "squid.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "squid.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "squid.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

config/helm/squid/templates/serviceaccount.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "squid.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- with .Values.serviceAccount.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+{{ include "squid.labels" . | indent 4 }}

config/helm/squid/values.yaml

@@ -0,0 +1,18 @@
+nameOverride: ""
+fullnameOverride: ""
+priorityClassName: system-node-critical
+podAnnotations: {}
+rbac:
+    pspEnabled: true
+serviceAccount:
+    name: squid-sa
+    create: true
+    annotations: {}
+squid:
+    port: 3128
+    label: squid
+    configMap: squidConfigMap
+    image:
+        repository: squid
+        tag: customtest
+

test/assets/squid.conf

@@ -0,0 +1,11 @@
+acl SSL_ports port 443
+acl CONNECT method CONNECT
+acl all src 0.0.0.0/0
+http_access allow all
+http_port 3128
+coredump_dir /var/spool/squid
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
+refresh_pattern .		0	20%	4320