chore: Cleanup and adding misc. vars

contexts/_template/blueprint.yaml

@@ -3,11 +3,6 @@ apiVersion: blueprints.windsorcli.dev/v1alpha1
 metadata:
   name: template
   description: Base blueprint template for core services
-repository:
-  url: ""
-  ref:
-    branch: main
-  secretName: flux-system
 sources: []
 terraform: []
 kustomize: []

terraform/cluster/azure-aks/main.tf

@@ -373,6 +373,15 @@ resource "azurerm_kubernetes_cluster" "main" {
     # checkov:skip=CKV_AZURE_168: This is set in the variable by default to 50
     max_pods                    = var.default_node_pool.max_pods
     temporary_name_for_rotation = "rotate"
+
+    dynamic "upgrade_settings" {
+      for_each = var.default_node_pool.upgrade_settings != null ? [var.default_node_pool.upgrade_settings] : []
+      content {
+        drain_timeout_in_minutes      = upgrade_settings.value.drain_timeout_in_minutes
+        max_surge                     = upgrade_settings.value.max_surge
+        node_soak_duration_in_minutes = upgrade_settings.value.node_soak_duration_in_minutes
+      }
+    }
   }
 
   auto_scaler_profile {
@@ -392,8 +401,10 @@ resource "azurerm_kubernetes_cluster" "main" {
     vertical_pod_autoscaler_enabled = var.workload_autoscaler_profile.vertical_pod_autoscaler_enabled
   }
 
-  oidc_issuer_enabled       = var.oidc_issuer_enabled
-  workload_identity_enabled = var.workload_identity_enabled
+  oidc_issuer_enabled          = var.oidc_issuer_enabled
+  workload_identity_enabled    = var.workload_identity_enabled
+  image_cleaner_enabled        = var.image_cleaner_enabled
+  image_cleaner_interval_hours = var.image_cleaner_interval_hours
 
   network_profile {
     network_plugin      = "azure"

terraform/cluster/azure-aks/test.tftest.hcl

@@ -160,6 +160,16 @@ run "minimal_configuration" {
     condition     = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write")
     error_message = "Snapshot write permissions should be included when enable_volume_snapshots is true (default)"
   }
+
+  assert {
+    condition     = azurerm_kubernetes_cluster.main.image_cleaner_enabled == true
+    error_message = "Image Cleaner should be enabled by default"
+  }
+
+  assert {
+    condition     = azurerm_kubernetes_cluster.main.image_cleaner_interval_hours == 48
+    error_message = "Image Cleaner interval should default to 48 hours"
+  }
 }
 
 # Tests a full configuration with all optional variables explicitly set,
@@ -209,6 +219,8 @@ run "full_configuration" {
     authorized_ip_ranges              = ["10.0.0.0/8"]
     admin_object_ids                  = ["55555555-5555-5555-5555-555555555555"]
     enable_volume_snapshots           = true
+    image_cleaner_enabled             = true
+    image_cleaner_interval_hours      = 24
   }
 
   assert {
@@ -375,6 +387,16 @@ run "full_configuration" {
     condition     = length(azurerm_role_assignment.aks_rbac_admin) == 2
     error_message = "Role assignments should be created for deployer plus 1 admin object ID (2 total)"
   }
+
+  assert {
+    condition     = azurerm_kubernetes_cluster.main.image_cleaner_enabled == true
+    error_message = "Image Cleaner should be enabled"
+  }
+
+  assert {
+    condition     = azurerm_kubernetes_cluster.main.image_cleaner_interval_hours == 24
+    error_message = "Image Cleaner interval should match input value"
+  }
 }
 
 # Tests the private cluster configuration, ensuring that enabling the private_cluster_enabled
@@ -532,64 +554,64 @@ run "multiple_invalid_inputs" {
   }
 }
 
-# Tests that when enable_volume_snapshots is false, snapshot permissions are not included in the role definition.
-# This verifies the conditional logic that excludes snapshot operations when volume snapshots are disabled.
-run "volume_snapshots_disabled" {
+# Tests that when key_vault_key_id is provided, no key is created and the provided key ID is used.
+# This verifies the conditional logic that skips key creation when an external key is specified.
+run "disk_encryption_with_provided_key" {
   command = plan
 
   variables {
     context_id              = "test"
     name                    = "windsor-aks"
     kubernetes_version      = "1.32"
-    enable_volume_snapshots = false
-  }
-
-  assert {
-    condition     = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/read")
-    error_message = "Snapshot read permissions should not be included when enable_volume_snapshots is false"
+    disk_encryption_enabled = true
+    key_vault_key_id        = "https://test-kv.vault.azure.net/keys/test-key/abc123"
   }
 
   assert {
-    condition     = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write")
-    error_message = "Snapshot write permissions should not be included when enable_volume_snapshots is false"
+    condition     = length(azurerm_key_vault_key.key_vault_key) == 0
+    error_message = "Key Vault key should not be created when key_vault_key_id is provided"
   }
 
   assert {
-    condition     = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/delete")
-    error_message = "Snapshot delete permissions should not be included when enable_volume_snapshots is false"
+    condition     = length(azurerm_disk_encryption_set.main) == 1
+    error_message = "Disk encryption set should be created when disk_encryption_enabled is true"
   }
 
   assert {
-    condition     = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/disks/read")
-    error_message = "Core disk permissions should still be included when enable_volume_snapshots is false"
+    condition     = azurerm_disk_encryption_set.main[0].key_vault_key_id == "https://test-kv.vault.azure.net/keys/test-key/abc123"
+    error_message = "Disk encryption set should use the provided key_vault_key_id when specified"
   }
 }
 
-# Tests that when key_vault_key_id is provided, no key is created and the provided key ID is used.
-# This verifies the conditional logic that skips key creation when an external key is specified.
-run "disk_encryption_with_provided_key" {
+# Tests that when enable_volume_snapshots is false, snapshot permissions are not included in the role definition.
+# This verifies the conditional logic that excludes snapshot operations when volume snapshots are disabled.
+run "volume_snapshots_disabled" {
   command = plan
 
   variables {
     context_id              = "test"
     name                    = "windsor-aks"
     kubernetes_version      = "1.32"
-    disk_encryption_enabled = true
-    key_vault_key_id        = "https://test-kv.vault.azure.net/keys/test-key/abc123"
+    enable_volume_snapshots = false
   }
 
   assert {
-    condition     = length(azurerm_key_vault_key.key_vault_key) == 0
-    error_message = "Key Vault key should not be created when key_vault_key_id is provided"
+    condition     = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/read")
+    error_message = "Snapshot read permissions should not be included when enable_volume_snapshots is false"
   }
 
   assert {
-    condition     = length(azurerm_disk_encryption_set.main) == 1
-    error_message = "Disk encryption set should be created when disk_encryption_enabled is true"
+    condition     = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/write")
+    error_message = "Snapshot write permissions should not be included when enable_volume_snapshots is false"
   }
 
   assert {
-    condition     = azurerm_disk_encryption_set.main[0].key_vault_key_id == "https://test-kv.vault.azure.net/keys/test-key/abc123"
-    error_message = "Disk encryption set should use the provided key_vault_key_id when specified"
+    condition     = !contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/snapshots/delete")
+    error_message = "Snapshot delete permissions should not be included when enable_volume_snapshots is false"
+  }
+
+  assert {
+    condition     = contains(azurerm_role_definition.aks_kubelet_vmss_disk_manager.permissions[0].actions, "Microsoft.Compute/disks/read")
+    error_message = "Core disk permissions should still be included when enable_volume_snapshots is false"
   }
 }

terraform/cluster/azure-aks/variables.tf

@@ -80,6 +80,11 @@ variable "default_node_pool" {
     node_count                   = number
     only_critical_addons_enabled = bool
     availability_zones           = optional(list(string))
+    upgrade_settings = optional(object({
+      drain_timeout_in_minutes      = number
+      max_surge                     = string
+      node_soak_duration_in_minutes = number
+    }))
   })
   default = {
     name                         = "system"
@@ -91,6 +96,11 @@ variable "default_node_pool" {
     max_count                    = 3
     node_count                   = 1
     only_critical_addons_enabled = true
+    upgrade_settings = {
+      drain_timeout_in_minutes      = 30
+      max_surge                     = "10%"
+      node_soak_duration_in_minutes = 10
+    }
   }
 }
 
@@ -317,3 +327,16 @@ variable "container_insights_enabled" {
   description = "Enable Azure Monitor Container Insights for collecting container logs, Kubernetes events, and pod/node inventory. Disable for cost-sensitive dev/test environments or when using alternative monitoring solutions."
   default     = false
 }
+
+variable "image_cleaner_enabled" {
+  description = "Enable Image Cleaner for the AKS cluster"
+  type        = bool
+  default     = true
+}
+
+variable "image_cleaner_interval_hours" {
+  description = "Interval in hours for Image Cleaner to run"
+  type        = number
+  default     = 48
+}
+