handle http proxy config for webhooks

config/helm/aws-node-termination-handler/README.md

@@ -60,6 +60,7 @@ Parameter | Description | Default
 `ignoreDaemonsSets` | Causes kubectl to skip daemon set managed pods | `true`
 `instanceMetadataURL` | The URL of EC2 instance metadata. This shouldn't need to be changed unless you are testing. | `http://169.254.169.254:80`
 `webhookURL` | Posts event data to URL upon instance interruption action | ``
+`webhookProxy` | Uses the specified HTTP(S) proxy for sending webhooks | `` 
 `webhookHeaders` | Replaces the default webhook headers. | `{"Content-type":"application/json"}`
 `webhookTemplate` | Replaces the default webhook message template. | `{"text":"[NTH][Instance Interruption] EventID: {{ .EventID }} - Kind: {{ .Kind }} - Description: {{ .Description }} - State: {{ .State }} - Start Time: {{ .StartTime }}"}`
 `dryRun` | If true, only log if a node would be drained | `false`
@@ -83,4 +84,3 @@ Parameter | Description | Default
 `procUptimeFile` | (Used for Testing) Specify the uptime file | `/proc/uptime`
 `securityContext.runAsUserID` | User ID to run the container | `1000`
 `securityContext.runAsGroupID` | Group ID to run the container | `1000` 
-

config/helm/aws-node-termination-handler/templates/daemonset.yaml

@@ -111,6 +111,8 @@ spec:
             value: {{ .Values.cordonOnly | quote }}
           - name: JSON_LOGGING
             value: {{ .Values.jsonLogging | quote }}
+          - name: WEBHOOK_PROXY
+            value: {{ .Values.webhookProxy | quote }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

config/helm/aws-node-termination-handler/values.yaml

@@ -54,6 +54,9 @@ nodeTerminationGracePeriod: ""
 # webhookURL if specified, posts event data to URL upon instance interruption action.
 webhookURL: ""
 
+# webhookProxy if specified, uses this HTTP(S) proxy configuration.
+webhookProxy: ""
+
 # webhookHeaders if specified, replaces the default webhook headers.
 webhookHeaders: ""
 

config/helm/ec2-metadata-test-proxy/templates/clusterrole.yaml

@@ -9,29 +9,4 @@ rules:
     - nodes
   verbs:
     - get
-    - patch
-    - update
-- apiGroups:
-    - ""
-  resources:
-    - pods
-  verbs:
-    - list
-- apiGroups:
-    - ""
-  resources:
-    - pods/eviction
-  verbs:
-    - create
-- apiGroups:
-    - extensions
-  resources:
-    - daemonsets
-  verbs:
-    - get
-- apiGroups:
-    - apps
-  resources:
-    - daemonsets
-  verbs:
-    - get
+

config/helm/ec2-metadata-test-proxy/templates/daemonset.yaml

@@ -37,6 +37,3 @@ spec:
         - name: ENABLE_IMDS_V2
           value: {{ .Values.ec2MetadataTestProxy.enableIMDSV2 | quote }}
 {{- end -}}
-
-
-

config/helm/ec2-metadata-test-proxy/templates/regular-pod-test.yaml

@@ -27,6 +27,3 @@ spec:
         - name: PORT
           value: {{ .Values.regularPodTest.port | quote }}
 {{- end -}}
-
-
-

config/helm/ec2-metadata-test-proxy/templates/service.yaml

@@ -7,4 +7,4 @@ spec:
     app: {{ .Values.ec2MetadataTestProxy.label }}
   ports:
   - port: {{ .Values.ec2MetadataTestProxy.port }}
-    protocol: TCP
+    protocol: TCP

config/helm/squid/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

config/helm/squid/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+name: squid
+description: A Helm chart for Squid
+version: 0.0.1
+appVersion: 1.0.0
+home: https://github.com/aws/aws-node-termination-handler
+icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
+sources:
+  - https://github.com/aws/aws-node-termination-handler/test/squid

config/helm/squid/templates/_helpers.tpl

@@ -0,0 +1,57 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "squid.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "squid.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "squid.labels" -}}
+app.kubernetes.io/name: {{ include "squid.name" . }}
+helm.sh/chart: {{ include "squid.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+k8s-app: squid
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "squid.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "squid.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "squid.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

config/helm/squid/templates/clusterrole.yaml

@@ -0,0 +1,11 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "squid.fullname" . }}
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - nodes
+  verbs:
+    - get

config/helm/squid/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "squid.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "squid.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "squid.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io

config/helm/squid/templates/daemonset.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ .Values.squid.label }}
+  labels:
+    app: {{ .Values.squid.label }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Values.squid.label }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.squid.label }}
+    spec:
+      serviceAccountName: {{ template "squid.serviceAccountName" . }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+      - name: {{ .Values.squid.label }}
+        image: {{ .Values.squid.image.repository }}:{{ .Values.squid.image.tag }}
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: {{ .Values.squid.port }}
+          hostPort: {{ .Values.squid.port }}
+        volumeMounts:
+          - name: squid-config
+            mountPath: /etc/squid
+            readOnly: true
+      volumes:
+        - name: squid-config
+          configMap: 
+            name: {{ .Values.squid.configMap }}
+

config/helm/squid/templates/psp.yaml

@@ -0,0 +1,60 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "squid.fullname" . }}
+  labels:
+{{ include "squid.labels" . | indent 4 }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+spec:
+  privileged: false
+  hostIPC: false
+  hostNetwork: true
+  hostPorts:
+    - min: 1024
+      max: 65535
+  hostPID: false
+  readOnlyRootFilesystem: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities:
+    - '*'
+  fsGroup:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+    - '*'
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "squid.fullname" . }}-psp
+  labels:
+{{ include "squid.labels" . | indent 4 }}
+rules:
+  - apiGroups: ['policy']
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+      - {{ template "squid.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "squid.fullname" . }}-psp
+  labels:
+{{ include "squid.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "squid.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "squid.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

config/helm/squid/templates/serviceaccount.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "squid.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- with .Values.serviceAccount.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+{{ include "squid.labels" . | indent 4 }}

config/helm/squid/values.yaml

@@ -0,0 +1,18 @@
+nameOverride: ""
+fullnameOverride: ""
+priorityClassName: system-node-critical
+podAnnotations: {}
+rbac:
+    pspEnabled: true
+serviceAccount:
+    name: squid-sa
+    create: true
+    annotations: {}
+squid:
+    port: 3128
+    label: squid
+    configMap: squidConfigMap
+    image:
+        repository: squid
+        tag: customtest
+

pkg/config/config.go

@@ -39,6 +39,8 @@ const (
 	nodeTerminationGracePeriodDefault       = 120
 	webhookURLConfigKey                     = "WEBHOOK_URL"
 	webhookURLDefault                       = ""
+	webhookProxyConfigKey                   = "WEBHOOK_PROXY"
+	webhookProxyDefault                     = ""
 	webhookHeadersConfigKey                 = "WEBHOOK_HEADERS"
 	webhookHeadersDefault                   = `{"Content-type":"application/json"}`
 	webhookTemplateConfigKey                = "WEBHOOK_TEMPLATE"
@@ -68,6 +70,7 @@ type Config struct {
 	WebhookURL                     string
 	WebhookHeaders                 string
 	WebhookTemplate                string
+	WebhookProxy                   string
 	EnableScheduledEventDraining   bool
 	EnableSpotInterruptionDraining bool
 	MetadataTries                  int
@@ -97,6 +100,7 @@ func ParseCliArgs() (config Config, err error) {
 	flag.IntVar(&config.PodTerminationGracePeriod, "pod-termination-grace-period", getIntEnv(podTerminationGracePeriodConfigKey, podTerminationGracePeriodDefault), "Period of time in seconds given to each POD to terminate gracefully. If negative, the default value specified in the pod will be used.")
 	flag.IntVar(&config.NodeTerminationGracePeriod, "node-termination-grace-period", getIntEnv(nodeTerminationGracePeriodConfigKey, nodeTerminationGracePeriodDefault), "Period of time in seconds given to each NODE to terminate gracefully. Node draining will be scheduled based on this value to optimize the amount of compute time, but still safely drain the node before an event.")
 	flag.StringVar(&config.WebhookURL, "webhook-url", getEnv(webhookURLConfigKey, webhookURLDefault), "If specified, posts event data to URL upon instance interruption action.")
+	flag.StringVar(&config.WebhookProxy, "webhook-proxy", getEnv(webhookProxyConfigKey, webhookProxyDefault), "If specified, uses the HTTP(S) proxy to send webhooks. Example: --webhook-url='tcp://<ip-or-dns-to-proxy>:<port>'")
 	flag.StringVar(&config.WebhookHeaders, "webhook-headers", getEnv(webhookHeadersConfigKey, webhookHeadersDefault), "If specified, replaces the default webhook headers.")
 	flag.StringVar(&config.WebhookTemplate, "webhook-template", getEnv(webhookTemplateConfigKey, webhookTemplateDefault), "If specified, replaces the default webhook message template.")
 	flag.BoolVar(&config.EnableScheduledEventDraining, "enable-scheduled-event-draining", getBoolEnv(enableScheduledEventDrainingConfigKey, enableScheduledEventDrainingDefault), "[EXPERIMENTAL] If true, drain nodes before the maintenance window starts for an EC2 instance scheduled event")
@@ -138,8 +142,8 @@ func ParseCliArgs() (config Config, err error) {
 			"\tenable-spot-interruption-draining: %t,\n"+
 			"\tmetadata-tries: %d,\n"+
 			"\tcordon-only: %t,\n"+
-			"\tjson-logging: %t,\n",
-
+			"\tjson-logging: %t,\n"+
+			"\twebhook-proxy: %s,\n",
 		config.DryRun,
 		config.NodeName,
 		config.MetadataURL,
@@ -154,6 +158,7 @@ func ParseCliArgs() (config Config, err error) {
 		config.MetadataTries,
 		config.CordonOnly,
 		config.JsonLogging,
+		config.WebhookProxy,
 	)
 
 	return config, err

pkg/node/node.go

@@ -336,7 +336,6 @@ func getDrainHelper(nthConfig config.Config) (*drain.Helper, error) {
 	if err != nil {
 		return nil, err
 	}
-
 	// creates the clientset
 	clientset, err := kubernetes.NewForConfig(clusterConfig)
 	if err != nil {