feat(azure): Set defaults for production AKS

contexts/azure-example/blueprint.yaml

@@ -0,0 +1,93 @@
+kind: Blueprint
+apiVersion: blueprints.windsorcli.dev/v1alpha1
+metadata:
+  name: cloud
+  description: This blueprint outlines resources in the cloud context
+repository:
+  url: ""
+  ref:
+    branch: main
+  secretName: flux-system
+sources:
+- name: core
+  url: github.com/windsorcli/core
+  ref:
+    branch: main
+terraform:
+- path: network/azure-vnet
+- path: cluster/azure-aks
+- path: gitops/flux
+  destroy: false
+kustomize:
+- name: telemetry-base
+  path: telemetry/base
+  source: core
+  components:
+  - prometheus
+  - prometheus/flux
+- name: telemetry-resources
+  path: telemetry/resources
+  source: core
+  dependsOn:
+  - telemetry-base
+  components:
+  - prometheus
+  - prometheus/flux
+- name: policy-base
+  path: policy/base
+  source: core
+  components:
+  - kyverno
+- name: policy-resources
+  path: policy/resources
+  source: core
+  dependsOn:
+  - policy-base
+- name: pki-base
+  path: pki/base
+  source: core
+  dependsOn:
+  - policy-resources
+  force: true
+  components:
+  - cert-manager
+  - trust-manager
+- name: pki-resources
+  path: pki/resources
+  source: core
+  dependsOn:
+  - pki-base
+  force: true
+  components:
+  - private-issuer/ca
+  - public-issuer/selfsigned
+- name: ingress-base
+  path: ingress/base
+  source: core
+  dependsOn:
+  - pki-resources
+  force: true
+  components:
+  - nginx
+  - nginx/flux-webhook
+  - nginx/web
+- name: gitops
+  path: gitops/flux
+  source: core
+  dependsOn:
+  - ingress-base
+  force: true
+  components:
+  - webhook
+- name: observability
+  path: observability
+  source: core
+  dependsOn:
+  - ingress-base
+  components:
+  - grafana
+  - grafana/ingress
+  - grafana/prometheus
+  - grafana/node
+  - grafana/kubernetes
+  - grafana/flux

contexts/azure-example/terraform/backend/azurerm.tfvars

@@ -0,0 +1,29 @@
+// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+
+// Azure region where resources will be created
+// location = "eastus2"
+
+// Name of the resource group where the storage account will be created
+// resource_group_name = ""
+
+// Name of the storage account. If not provided, a default name will be generated
+// storage_account_name = ""
+
+// Name of the blob container for Terraform state
+// container_name = ""
+
+// Additional tags to apply to resources
+// tags = {
+// }
+
+// Enable customer managed key encryption
+// enable_cmk = false
+
+// The ID of the Key Vault Key to use for CMK encryption
+// key_vault_key_id = ""
+
+// Allow public access to the storage account
+// allow_public_access = true
+
+// List of IP ranges to allow access to the storage account
+// allowed_ip_ranges = []

contexts/azure-example/terraform/cluster/azure-aks.tfvars

@@ -0,0 +1,103 @@
+# Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+
+# Name of the resource
+# name = "cluster"
+
+# Name of the resource group
+# resource_group_name = null
+
+# Name of the AKS cluster
+# cluster_name = null
+
+# Name on the VNET module
+# vnet_module_name = "network"
+
+# ID of the subnet
+# vnet_subnet_id = null
+
+# Region for the resources
+# region = "eastus"
+
+# Version of Kubernetes to use
+# kubernetes_version = "1.32"
+
+# Configuration for the default node pool
+# default_node_pool = {
+#   host_encryption_enabled = true
+#   max_count = null
+#   max_pods = null
+#   min_count = null
+#   name = "system"
+#   node_count = null
+#   only_critical_addons_enabled = true
+#   os_disk_type = "Managed"
+#   vm_size = "Standard_D2s_v3"
+# }
+
+# Configuration for the autoscaled node pool
+# autoscaled_node_pool = {
+#   enabled = true
+#   host_encryption_enabled = true
+#   max_count = null
+#   max_pods = null
+#   min_count = null
+#   mode = "User"
+#   name = "autoscaled"
+#   os_disk_type = "Managed"
+#   vm_size = "Standard_D2s_v3"
+# }
+
+# Whether to enable role-based access control for the AKS cluster
+# role_based_access_control_enabled = true
+
+# Configuration for the AKS cluster's auto-scaler
+# auto_scaler_profile = {
+#   balance_similar_node_groups = true
+#   max_graceful_termination_sec = null
+#   scale_down_delay_after_add = "10m"
+#   scale_down_delay_after_delete = "10s"
+#   scale_down_delay_after_failure = "3m"
+#   scale_down_unneeded = "10m"
+#   scale_down_unready = "20m"
+#   scale_down_utilization_threshold = "0.5"
+#   scan_interval = "10s"
+# }
+
+# Configuration for the AKS cluster's workload autoscaler
+# workload_autoscaler_profile = {
+#   keda_enabled = false
+#   vertical_pod_autoscaler_enabled = false
+# }
+
+# The automatic upgrade channel for the AKS cluster
+# automatic_upgrade_channel = "stable"
+
+# The SKU tier for the AKS cluster
+# sku_tier = "Standard"
+
+# Whether to enable private cluster for the AKS cluster
+# private_cluster_enabled = false
+
+# Whether to enable Azure Policy for the AKS cluster
+# azure_policy_enabled = true
+
+# Whether to disable local accounts for the AKS cluster
+# local_account_disabled = false
+
+# Whether to enable public network access for the AKS cluster
+# public_network_access_enabled = true
+
+# The default action for the AKS cluster's network ACLs
+# network_acls_default_action = "Allow"
+
+# The expiration date for the AKS cluster's key vault
+# expiration_date = null
+
+# Additional user assigned identity IDs for the AKS cluster
+# additional_cluster_identity_ids = []
+
+# The number of days to retain the AKS cluster's key vault
+# soft_delete_retention_days = null
+
+# Tags to apply to the resources
+# tags = {}

contexts/azure-example/terraform/gitops/flux.tfvars

@@ -0,0 +1,32 @@
+# Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+# Module source: github.com/windsorcli/core//terraform/gitops/flux?ref=aws-eks
+
+# The namespace in which Flux will be installed
+# flux_namespace = "system-gitops"
+
+# The version of Flux Helm chart to install
+# flux_helm_version = "2.15.0"
+
+# The version of Flux to install
+# flux_version = "2.5.1"
+
+# The private key to use for SSH authentication
+# ssh_private_key = "(sensitive)"
+
+# The public key to use for SSH authentication
+# ssh_public_key = "(sensitive)"
+
+# The known hosts to use for SSH authentication
+# ssh_known_hosts = "(sensitive)"
+
+# The name of the secret to store the git authentication details
+# git_auth_secret = "flux-system"
+
+# The git user to use to authenticte with the git provider
+# git_username = "git"
+
+# The git password or PAT used to authenticte with the git provider
+# git_password = "(sensitive)"
+
+# The token to use for the webhook
+# webhook_token = "(sensitive)"

contexts/azure-example/terraform/network/azure-vnet.tfvars

@@ -0,0 +1,24 @@
+// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+// Module source: github.com/windsorcli/core//terraform/network/azure-vnet?ref=main
+
+// Region for the resources
+// region = "eastus"
+
+// Name of the resource group
+// resource_group_name = null
+
+// Name of the VNET
+// vnet_name = null
+
+// Number of availability zones to create
+// vnet_zones = null
+
+// CIDR block for VNET
+// vnet_cidr = "10.20.0.0/16"
+
+// Subnets to create in the VNET
+// vnet_subnets = {
+//   data = []
+//   private = []
+//   public = []
+// }

contexts/local/blueprint.yaml

@@ -43,15 +43,13 @@ kustomize:
   path: csi
   dependsOn:
   - policy-resources
-  force: true
   components:
   - openebs
   - openebs/dynamic-localpv
 - name: ingress-base
   path: ingress/base
   dependsOn:
   - pki-resources
-  force: true
   components:
   - nginx
   - nginx/nodeport
@@ -62,23 +60,20 @@ kustomize:
   path: pki/base
   dependsOn:
   - policy-resources
-  force: true
   components:
   - cert-manager
   - trust-manager
 - name: pki-resources
   path: pki/resources
   dependsOn:
   - pki-base
-  force: true
   components:
   - private-issuer/ca
   - public-issuer/selfsigned
 - name: dns
   path: dns
   dependsOn:
   - pki-base
-  force: true
   components:
   - coredns
   - coredns/etcd
@@ -90,6 +85,5 @@ kustomize:
   path: gitops/flux
   dependsOn:
   - ingress-base
-  force: true
   components:
   - webhook

contexts/local/terraform/cluster/talos.tfvars

@@ -5,7 +5,7 @@
 # kubernetes_version = "1.33.1"
 
 # The talos version to deploy.
-# talos_version = "1.10.1"
+# talos_version = "1.10.2"
 
 # The name of the cluster.
 cluster_name = "talos"
@@ -32,12 +32,16 @@ common_config_patches = <<EOF
     "certSANs":
     - "localhost"
     - "127.0.0.1"
+    - "controlplane-1"
+    - "controlplane-1.test"
   "extraManifests":
   - "https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.8.7/deploy/standalone-install.yaml"
 "machine":
   "certSANs":
   - "localhost"
   - "127.0.0.1"
+  - "controlplane-1"
+  - "controlplane-1.test"
   "kubelet":
     "extraArgs":
       "rotate-server-certificates": "true"

docs/terraform/backend/azurerm.md

@@ -2,13 +2,13 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 4.28.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 4.29.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 4.28.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 4.29.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | 2.5.3 |
 
 ## Modules
@@ -19,10 +19,10 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/resource_group) | resource |
-| [azurerm_storage_account.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/storage_account) | resource |
-| [azurerm_storage_container.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/storage_container) | resource |
-| [azurerm_user_assigned_identity.storage](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/user_assigned_identity) | resource |
+| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.29.0/docs/resources/resource_group) | resource |
+| [azurerm_storage_account.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.29.0/docs/resources/storage_account) | resource |
+| [azurerm_storage_container.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.29.0/docs/resources/storage_container) | resource |
+| [azurerm_user_assigned_identity.storage](https://registry.terraform.io/providers/hashicorp/azurerm/4.29.0/docs/resources/user_assigned_identity) | resource |
 | [local_file.backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 
 ## Inputs