diff --git a/contexts/_template/blueprint.yaml b/contexts/_template/blueprint.yaml index 6c6089c26..939e011b8 100644 --- a/contexts/_template/blueprint.yaml +++ b/contexts/_template/blueprint.yaml @@ -3,11 +3,6 @@ apiVersion: blueprints.windsorcli.dev/v1alpha1 metadata: name: template description: Base blueprint template for core services -repository: - url: "" - ref: - branch: main - secretName: flux-system sources: [] terraform: [] kustomize: [] diff --git a/terraform/backend/azurerm/.terraform.lock.hcl b/terraform/backend/azurerm/.terraform.lock.hcl index c9c50e70a..66c65fdaf 100644 --- a/terraform/backend/azurerm/.terraform.lock.hcl +++ b/terraform/backend/azurerm/.terraform.lock.hcl @@ -32,20 +32,20 @@ provider "registry.terraform.io/hashicorp/azurerm" { } provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" + version = "2.6.1" hashes = [ - "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "h1:DbiR/D2CPigzCGweYIyJH0N0x04oyI5xiZ9wSW/s3kQ=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", ] } diff --git a/terraform/backend/s3/.terraform.lock.hcl b/terraform/backend/s3/.terraform.lock.hcl index 5c3242452..326ee52f3 100644 --- a/terraform/backend/s3/.terraform.lock.hcl +++ b/terraform/backend/s3/.terraform.lock.hcl @@ -38,20 +38,20 @@ provider "registry.terraform.io/hashicorp/aws" { } provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" + version = "2.6.1" hashes = [ - "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "h1:DbiR/D2CPigzCGweYIyJH0N0x04oyI5xiZ9wSW/s3kQ=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", ] } diff --git a/terraform/cluster/aws-eks/.terraform.lock.hcl b/terraform/cluster/aws-eks/.terraform.lock.hcl index dc46df27a..1b8fdf93f 100644 --- a/terraform/cluster/aws-eks/.terraform.lock.hcl +++ b/terraform/cluster/aws-eks/.terraform.lock.hcl @@ -14,6 +14,7 @@ provider "registry.terraform.io/hashicorp/aws" { "h1:QAcpv9yoqEtVaBVyQ3hHsTc558AchV5/8lfAGoqmUkA=", "h1:QJEljz77aB459tng0v+5xIdV6mkmCM4RZO6ztk3pOEA=", "h1:RB3r7K1PgJ6S3J0l4u5/nB7G/inM2goPWY+QHesxuGo=", + "h1:RO/wwMYOIpQpC7Jum3tHSi3SS7+XWEuhEHgHlYwBTao=", "h1:UT4pxGbPuANnxyCeDn5/Ybr476EkyxcsYsU+q0iYt/Q=", "h1:Uv/PPkYgnjKcsesOVWiTHaY/1R5/OgH1UYnXvtu0K58=", "h1:XuB0R/84+T3iEUVh5EHBQ+P+FdmgrC9DxQ0BmaNttS0=", @@ -38,21 +39,21 @@ provider "registry.terraform.io/hashicorp/aws" { } provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" + version = "2.6.1" hashes = [ - "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "h1:DbiR/D2CPigzCGweYIyJH0N0x04oyI5xiZ9wSW/s3kQ=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", ] } diff --git a/terraform/cluster/aws-eks/additions/.terraform.lock.hcl b/terraform/cluster/aws-eks/additions/.terraform.lock.hcl index 75d53d041..81faf2881 100644 --- a/terraform/cluster/aws-eks/additions/.terraform.lock.hcl +++ b/terraform/cluster/aws-eks/additions/.terraform.lock.hcl @@ -8,6 +8,7 @@ provider "registry.terraform.io/hashicorp/aws" { "h1:+hGrZFOwhO5Wa60cy9tntT0qkBf81rHJIF2ErJ5JkQg=", "h1:0XEc9eHELD/BtPNybqkzzaS3bYp2HSv9LwAfaGyCpOU=", "h1:4/MVfJTHXMUw0znz+eTdWdScMZkLiMZ0IkY4wPzx5Bc=", + "h1:4XyaPG5JbJjn2hgVS9PWkX0+Kz3+R+wnVLjoAGSkkOM=", "h1:5Y+OtKRotuCIjbVW6rYrGIU1u8+zK5zyvar9t7L6aqc=", "h1:67vo1NVFcVzi0BcCd7uEOc5thGm22JE7xb7ph/XwUxI=", "h1:PQ3jzG6VNrfS35adtrBeLnVTnJef3f2t5SUV7XNikgo=", @@ -18,6 +19,7 @@ provider "registry.terraform.io/hashicorp/aws" { "h1:Uv/PPkYgnjKcsesOVWiTHaY/1R5/OgH1UYnXvtu0K58=", "h1:XuB0R/84+T3iEUVh5EHBQ+P+FdmgrC9DxQ0BmaNttS0=", "h1:p/zt5FRJNZg6oqJmh+ZCMx/Fn7kjefz1sCdbZaarunw=", + "h1:qOZVo7KQ4bnlUn3kAzzmUNtJgGD5ffCCEgQxle30xFU=", "h1:v9FRXpj8ZndNpDmiJX3mDwGvGw8WMCatv/7vlp50U2E=", "zh:0f9621f719ec2051eabb94ca59aa4f13574487fbc1517b183293431c9d388e38", "zh:2ffbedb2e3afcd82da8bfc540bd74e9611527bdafd00d6d1885f62e7d13bac74", diff --git a/terraform/cluster/azure-aks/.terraform.lock.hcl b/terraform/cluster/azure-aks/.terraform.lock.hcl index ae51b1537..84e7aa022 100644 --- a/terraform/cluster/azure-aks/.terraform.lock.hcl +++ b/terraform/cluster/azure-aks/.terraform.lock.hcl @@ -32,21 +32,21 @@ provider "registry.terraform.io/hashicorp/azurerm" { } provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" + version = "2.6.1" hashes = [ - "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "h1:DbiR/D2CPigzCGweYIyJH0N0x04oyI5xiZ9wSW/s3kQ=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", ] } diff --git a/terraform/cluster/azure-aks/main.tf b/terraform/cluster/azure-aks/main.tf index 16aab2824..761a645dd 100644 --- a/terraform/cluster/azure-aks/main.tf +++ b/terraform/cluster/azure-aks/main.tf @@ -373,6 +373,15 @@ resource "azurerm_kubernetes_cluster" "main" { # checkov:skip=CKV_AZURE_168: This is set in the variable by default to 50 max_pods = var.default_node_pool.max_pods temporary_name_for_rotation = "rotate" + + dynamic "upgrade_settings" { + for_each = var.default_node_pool.upgrade_settings != null ? [var.default_node_pool.upgrade_settings] : [] + content { + drain_timeout_in_minutes = upgrade_settings.value.drain_timeout_in_minutes + max_surge = upgrade_settings.value.max_surge + node_soak_duration_in_minutes = upgrade_settings.value.node_soak_duration_in_minutes + } + } } auto_scaler_profile { @@ -392,8 +401,10 @@ resource "azurerm_kubernetes_cluster" "main" { vertical_pod_autoscaler_enabled = var.workload_autoscaler_profile.vertical_pod_autoscaler_enabled } - oidc_issuer_enabled = var.oidc_issuer_enabled - workload_identity_enabled = var.workload_identity_enabled + oidc_issuer_enabled = var.oidc_issuer_enabled + workload_identity_enabled = var.workload_identity_enabled + image_cleaner_enabled = var.image_cleaner_enabled + image_cleaner_interval_hours = var.image_cleaner_interval_hours network_profile { network_plugin = "azure" diff --git a/terraform/cluster/azure-aks/test.tftest.hcl b/terraform/cluster/azure-aks/test.tftest.hcl index 2ed04ea1b..f1cb57470 100644 --- a/terraform/cluster/azure-aks/test.tftest.hcl +++ b/terraform/cluster/azure-aks/test.tftest.hcl @@ -160,6 +160,16 @@ run "minimal_configuration" { condition = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write") error_message = "Snapshot write permissions should be included when enable_volume_snapshots is true (default)" } + + assert { + condition = azurerm_kubernetes_cluster.main.image_cleaner_enabled == true + error_message = "Image Cleaner should be enabled by default" + } + + assert { + condition = azurerm_kubernetes_cluster.main.image_cleaner_interval_hours == 48 + error_message = "Image Cleaner interval should default to 48 hours" + } } # Tests a full configuration with all optional variables explicitly set, @@ -209,6 +219,8 @@ run "full_configuration" { authorized_ip_ranges = ["10.0.0.0/8"] admin_object_ids = ["55555555-5555-5555-5555-555555555555"] enable_volume_snapshots = true + image_cleaner_enabled = true + image_cleaner_interval_hours = 24 } assert { @@ -375,6 +387,16 @@ run "full_configuration" { condition = length(azurerm_role_assignment.aks_rbac_admin) == 2 error_message = "Role assignments should be created for deployer plus 1 admin object ID (2 total)" } + + assert { + condition = azurerm_kubernetes_cluster.main.image_cleaner_enabled == true + error_message = "Image Cleaner should be enabled" + } + + assert { + condition = azurerm_kubernetes_cluster.main.image_cleaner_interval_hours == 24 + error_message = "Image Cleaner interval should match input value" + } } # Tests the private cluster configuration, ensuring that enabling the private_cluster_enabled @@ -532,64 +554,64 @@ run "multiple_invalid_inputs" { } } -# Tests that when enable_volume_snapshots is false, snapshot permissions are not included in the role definition. -# This verifies the conditional logic that excludes snapshot operations when volume snapshots are disabled. -run "volume_snapshots_disabled" { +# Tests that when key_vault_key_id is provided, no key is created and the provided key ID is used. +# This verifies the conditional logic that skips key creation when an external key is specified. +run "disk_encryption_with_provided_key" { command = plan variables { context_id = "test" name = "windsor-aks" kubernetes_version = "1.32" - enable_volume_snapshots = false - } - - assert { - condition = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/read") - error_message = "Snapshot read permissions should not be included when enable_volume_snapshots is false" + disk_encryption_enabled = true + key_vault_key_id = "https://test-kv.vault.azure.net/keys/test-key/abc123" } assert { - condition = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write") - error_message = "Snapshot write permissions should not be included when enable_volume_snapshots is false" + condition = length(azurerm_key_vault_key.key_vault_key) == 0 + error_message = "Key Vault key should not be created when key_vault_key_id is provided" } assert { - condition = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/delete") - error_message = "Snapshot delete permissions should not be included when enable_volume_snapshots is false" + condition = length(azurerm_disk_encryption_set.main) == 1 + error_message = "Disk encryption set should be created when disk_encryption_enabled is true" } assert { - condition = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/disks/read") - error_message = "Core disk permissions should still be included when enable_volume_snapshots is false" + condition = azurerm_disk_encryption_set.main[0].key_vault_key_id == "https://test-kv.vault.azure.net/keys/test-key/abc123" + error_message = "Disk encryption set should use the provided key_vault_key_id when specified" } } -# Tests that when key_vault_key_id is provided, no key is created and the provided key ID is used. -# This verifies the conditional logic that skips key creation when an external key is specified. -run "disk_encryption_with_provided_key" { +# Tests that when enable_volume_snapshots is false, snapshot permissions are not included in the role definition. +# This verifies the conditional logic that excludes snapshot operations when volume snapshots are disabled. +run "volume_snapshots_disabled" { command = plan variables { context_id = "test" name = "windsor-aks" kubernetes_version = "1.32" - disk_encryption_enabled = true - key_vault_key_id = "https://test-kv.vault.azure.net/keys/test-key/abc123" + enable_volume_snapshots = false } assert { - condition = length(azurerm_key_vault_key.key_vault_key) == 0 - error_message = "Key Vault key should not be created when key_vault_key_id is provided" + condition = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/read") + error_message = "Snapshot read permissions should not be included when enable_volume_snapshots is false" } assert { - condition = length(azurerm_disk_encryption_set.main) == 1 - error_message = "Disk encryption set should be created when disk_encryption_enabled is true" + condition = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write") + error_message = "Snapshot write permissions should not be included when enable_volume_snapshots is false" } assert { - condition = azurerm_disk_encryption_set.main[0].key_vault_key_id == "https://test-kv.vault.azure.net/keys/test-key/abc123" - error_message = "Disk encryption set should use the provided key_vault_key_id when specified" + condition = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/delete") + error_message = "Snapshot delete permissions should not be included when enable_volume_snapshots is false" + } + + assert { + condition = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/disks/read") + error_message = "Core disk permissions should still be included when enable_volume_snapshots is false" } } diff --git a/terraform/cluster/azure-aks/variables.tf b/terraform/cluster/azure-aks/variables.tf index 60ee1a3d7..6f7a11403 100644 --- a/terraform/cluster/azure-aks/variables.tf +++ b/terraform/cluster/azure-aks/variables.tf @@ -80,6 +80,11 @@ variable "default_node_pool" { node_count = number only_critical_addons_enabled = bool availability_zones = optional(list(string)) + upgrade_settings = optional(object({ + drain_timeout_in_minutes = number + max_surge = string + node_soak_duration_in_minutes = number + })) }) default = { name = "system" @@ -91,6 +96,11 @@ variable "default_node_pool" { max_count = 3 node_count = 1 only_critical_addons_enabled = true + upgrade_settings = { + drain_timeout_in_minutes = 30 + max_surge = "10%" + node_soak_duration_in_minutes = 10 + } } } @@ -317,3 +327,16 @@ variable "container_insights_enabled" { description = "Enable Azure Monitor Container Insights for collecting container logs, Kubernetes events, and pod/node inventory. Disable for cost-sensitive dev/test environments or when using alternative monitoring solutions." default = false } + +variable "image_cleaner_enabled" { + description = "Enable Image Cleaner for the AKS cluster" + type = bool + default = true +} + +variable "image_cleaner_interval_hours" { + description = "Interval in hours for Image Cleaner to run" + type = number + default = 48 +} + diff --git a/terraform/cluster/talos/modules/machine/.terraform.lock.hcl b/terraform/cluster/talos/modules/machine/.terraform.lock.hcl index 2418f3804..8f21e4bf9 100644 --- a/terraform/cluster/talos/modules/machine/.terraform.lock.hcl +++ b/terraform/cluster/talos/modules/machine/.terraform.lock.hcl @@ -2,21 +2,21 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" + version = "2.6.1" hashes = [ - "h1:MCzg+hs1/ZQ32u56VzJMWP9ONRQPAAqAjuHuzbyshvI=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "h1:DbiR/D2CPigzCGweYIyJH0N0x04oyI5xiZ9wSW/s3kQ=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", ] } @@ -40,23 +40,23 @@ provider "registry.terraform.io/hashicorp/null" { } provider "registry.terraform.io/siderolabs/talos" { - version = "0.8.0" + version = "0.9.0" hashes = [ - "h1:5Ik5stEr3alQjCwSs+hU7poVoa+CZh/Z2IH3MtiyHf4=", - "zh:0273010292fc4faa8c9c4c1f406a5c962a494f931fb2570ce880dc19af04342c", - "zh:0785a8cdb72c917da99ab8795cf5312ecfcf73fd06d9d9893e25867ca1af136f", + "h1:50TaymX/KnjXcURmpKsVd7JUyLRrMDNXMHFgqzSe88U=", "zh:0fa82a384b25a58b65523e0ea4768fa1212b1f5cfc0c9379d31162454fedcc9d", - "zh:3936387665b16ab7e9ac08e1b25f1c65fdc1f8be54e6fb7dd4fa414bf1dfa261", - "zh:46ebd13aee6b5fa5abdcadb5e641125b69e9c48014d4625057e7bd5dc4d0a283", - "zh:5aabeb7c8f4dfcc8696aa4c6278043611e11f27dec42c3c0e090a495767bc274", - "zh:5f7acfe13775c29250f1cc37eddfc6cf7ee7e4cc58097f66ef6dc3dbe723fad8", - "zh:6170c27dce21ac47561755646b5fd821d14590fe503c100d73caaa5a34cba5a9", - "zh:7adc17bfb63a5ea7ce04785eb5374c0342ab8b5017538ecf77a3312feb3d4d6a", - "zh:944cd1a1fe3333bd97482b5b82e97b363b8b977d72e9b44f8e04c6e8d272a527", - "zh:a1e6c8e628847a583f6426d8d56be18e5da086630db9cb531c49f0fbf6db4ea4", - "zh:c920fff2336819ffffb81597bf3cf7d3b20cd07b0419a3dd20c62f2aed9696ac", - "zh:cfc260e85c3c88605b7705cdb2aefdd07f9b933bd98e26497f27c928a1232673", - "zh:d1927de9116cd9dbcdb1f550058e651c28c3b7dea58cae83feb79ddb69dbcb4c", - "zh:e9e11260645c35dc97b20a45b014ea279945ad4e09bc4f4fd898b32689c529e1", + "zh:249ab08b810bb96ef7c35354a12622907df7cbda59c83ff314ee85e8b851128d", + "zh:4f284c21f0cb4b7012fdb231ebba4803e5c389f7ea380fb5958ebfa6b822d055", + "zh:6049f8d06bc92ab1a46d56c2b37799e6a1b7ce3c61905acf8f0c2009942be8ac", + "zh:7de5f0a6429c6856ade3c7e59d5041a7fe8e0010aea14a2074e91f8a526283ce", + "zh:9760420cf5feec0550556664962bc6f1af45115b9ea5bcbf47aa9bffd3dd4ac2", + "zh:9860272a9fbcea65393c478dc579ad2677a44338de24677702ce699a027801aa", + "zh:a60311a8bf267b18dcf1c8250f45e371b51c6aef086e037a3f9496602f190187", + "zh:b74c119b2a964cae8d17b5b5f14c8eecf44708e3817c1f65ac89b813856aed98", + "zh:bc33e14650052c246ac2e6492a0a24755d4e8d27cb7259e3996f07b0537f2c77", + "zh:c4bc2c65b3dcef2508c14dbbfc18937c5ede11670c02a644cbc28c83a57de92b", + "zh:c98bf4809220568d76ea2db232a88a60c29fd90d4c9e2f8c8a68cf91ceed066a", + "zh:de0179ee9c55bf36d3474049ceac3a105ed7bc1fb9c4787d4076c4b15d268b66", + "zh:e99e019d950131c2c4259c1cbca1d072cb813bdfdbbbf9359f5901d6b7542a0d", + "zh:feb941cc673692c6858f96590f3ca082683a62aa2d2842b9bfffcd327eb840d3", ] }