nebari-dev · Adam-D-Lewis · May 20, 2024 · Aug 22, 2023 · Aug 23, 2023 · Aug 23, 2023
diff --git a/pyproject.toml b/pyproject.toml
@@ -136,21 +136,23 @@ module = [
 ignore_missing_imports = true
 
 [tool.ruff]
+extend-exclude = [
+ "src/_nebari/template",
+ "home",
+ "__pycache__"
+]
+
+[tool.ruff.lint]
 select = [
- "E",
- "F",
- "PTH",
+ "E", # E: pycodestyle rules
+ "F", # F: pyflakes rules
+ "PTH", # PTH: flake8-use-pathlib rules
 ]
 ignore = [
  "E501", # Line too long
  "F821", # Undefined name
  "PTH123", # open() should be replaced by Path.open()
 ]
-extend-exclude = [
- "src/_nebari/template",
- "home",
- "__pycache__"
-]
 
 [tool.coverage.run]
 branch = true

diff --git a/src/_nebari/config.py b/src/_nebari/config.py
@@ -103,7 +103,8 @@ def write_configuration(
  """Write the nebari configuration file to disk"""
  with config_filename.open(mode) as f:
  if isinstance(config, pydantic.BaseModel):
- yaml.dump(config.model_dump(), f)
+ config_dict = config.write_config()
+ yaml.dump(config_dict, f)
  else:
  config = dump_nested_model(config)
  yaml.dump(config, f)

diff --git a/src/_nebari/initialize.py b/src/_nebari/initialize.py
@@ -26,7 +26,7 @@
  DEFAULT_GCP_NODE_GROUPS,
  node_groups_to_dict,
 )
-from _nebari.stages.kubernetes_ingress import CertificateEnum
+from _nebari.stages.kubernetes_ingress import LetsEncryptCertificate
 from _nebari.stages.kubernetes_keycloak import AuthenticationEnum
 from _nebari.stages.terraform_state import TerraformStateEnum
 from _nebari.utils import get_latest_kubernetes_version, random_secure_string
@@ -194,8 +194,7 @@ def render_config(
  config["theme"]["jupyterhub"]["hub_subtitle"] = WELCOME_HEADER_TEXT
 
  if ssl_cert_email:
- config["certificate"] = {"type": CertificateEnum.letsencrypt.value}
- config["certificate"]["acme_email"] = ssl_cert_email
+ config["certificate"] = LetsEncryptCertificate(acme_email=ssl_cert_email)
 
  # validate configuration and convert to model
  from nebari.plugins import nebari_plugin_manager

diff --git a/src/_nebari/keycloak.py b/src/_nebari/keycloak.py
@@ -7,7 +7,7 @@
 import requests
 import rich
 
-from _nebari.stages.kubernetes_ingress import CertificateEnum
+from _nebari.stages.kubernetes_ingress import SelfSignedCertificate
 from nebari import schema
 
 logger = logging.getLogger(__name__)
@@ -91,7 +91,7 @@ def get_keycloak_admin_from_config(config: schema.Main):
  "KEYCLOAK_ADMIN_PASSWORD", config.security.keycloak.initial_root_password
  )
 
- should_verify_tls = config.certificate.type != CertificateEnum.selfsigned
+ should_verify_tls = not isinstance(config.certificate, SelfSignedCertificate)
 
  try:
  keycloak_admin = keycloak.KeycloakAdmin(

diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py
@@ -112,6 +112,7 @@ class AzureInputVars(schema.Base):
  tags: Dict[str, str] = {}
  max_pods: Optional[int] = None
  network_profile: Optional[Dict[str, str]] = None
+ workload_identity_enabled: bool = False
 
 
 class AWSNodeGroupInputVars(schema.Base):
@@ -380,6 +381,7 @@ class AzureProvider(schema.Base):
  tags: Optional[Dict[str, str]] = {}
  network_profile: Optional[Dict[str, str]] = None
  max_pods: Optional[int] = None
+ workload_identity_enabled: bool = False
 
  @model_validator(mode="before")
  @classmethod
@@ -563,6 +565,13 @@ class InputSchema(schema.Base):
  azure: Optional[AzureProvider] = None
  digital_ocean: Optional[DigitalOceanProvider] = None
 
+ def exclude_from_config(self):
+ exclude = set()
+ for provider in InputSchema.model_fields:
+ if getattr(self, provider) is None:
+ exclude.add(provider)
+ return exclude
+
  @model_validator(mode="before")
  @classmethod
  def check_provider(cls, data: Any) -> Any:
@@ -781,6 +790,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
  tags=self.config.azure.tags,
  network_profile=self.config.azure.network_profile,
  max_pods=self.config.azure.max_pods,
+ workload_identity_enabled=self.config.azure.workload_identity_enabled,
  ).model_dump()
  elif self.config.provider == schema.ProviderEnum.aws:
  return AWSInputVars(

diff --git a/src/_nebari/stages/infrastructure/template/azure/main.tf b/src/_nebari/stages/infrastructure/template/azure/main.tf
@@ -40,6 +40,7 @@ module "kubernetes" {
  max_size = config.max_nodes
  }
  ]
- vnet_subnet_id = var.vnet_subnet_id
- private_cluster_enabled = var.private_cluster_enabled
+ vnet_subnet_id = var.vnet_subnet_id
+ private_cluster_enabled = var.private_cluster_enabled
+ workload_identity_enabled = var.workload_identity_enabled
 }
diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf
@@ -5,6 +5,10 @@ resource "azurerm_kubernetes_cluster" "main" {
  resource_group_name = var.resource_group_name
  tags = var.tags
 
+ # To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.
+ oidc_issuer_enabled = var.workload_identity_enabled
+ workload_identity_enabled = var.workload_identity_enabled
+
  # DNS prefix specified when creating the managed cluster. Changing this forces a new resource to be created.
  dns_prefix = "Nebari" # required
 

diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/outputs.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/outputs.tf
@@ -17,3 +17,13 @@ output "kubeconfig" {
  sensitive = true
  value = azurerm_kubernetes_cluster.main.kube_config_raw
 }
+
+output "cluster_oidc_issuer_url" {
+ description = "The OpenID Connect issuer URL that is associated with the AKS cluster"
+ value = azurerm_kubernetes_cluster.main.oidc_issuer_url
+}
+
+output "resource_group_name" {
+ description = "The name of the resource group in which the AKS cluster is created"
+ value = azurerm_kubernetes_cluster.main.resource_group_name
+}
diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf
@@ -70,3 +70,9 @@ variable "max_pods" {
  type = number
  default = 60
 }
+
+variable "workload_identity_enabled" {
+ description = "Enable Workload Identity"
+ type = bool
+ default = false
+}
diff --git a/src/_nebari/stages/infrastructure/template/azure/outputs.tf b/src/_nebari/stages/infrastructure/template/azure/outputs.tf
@@ -22,3 +22,13 @@ output "kubeconfig_filename" {
  description = "filename for nebari kubeconfig"
  value = var.kubeconfig_filename
 }
+
+output "cluster_oidc_issuer_url" {
+ description = "The OpenID Connect issuer URL that is associated with the AKS cluster"
+ value = module.kubernetes.cluster_oidc_issuer_url
+}
+
+output "resource_group_name" {
+ description = "The name of the resource group in which the AKS cluster is created"
+ value = module.kubernetes.resource_group_name
+}
diff --git a/src/_nebari/stages/infrastructure/template/azure/variables.tf b/src/_nebari/stages/infrastructure/template/azure/variables.tf
@@ -76,3 +76,9 @@ variable "max_pods" {
  type = number
  default = 60
 }
+
+variable "workload_identity_enabled" {
+ description = "Enable Workload Identity"
+ type = bool
+ default = false
+}
diff --git a/src/_nebari/stages/kubernetes_ingress/__init__.py b/src/_nebari/stages/kubernetes_ingress/__init__.py
@@ -1,9 +1,12 @@
-import enum
+from __future__ import annotations
+
 import logging
 import socket
 import sys
 import time
-from typing import Any, Dict, List, Optional, Type
+from typing import Any, Dict, List, Literal, Optional, Type, Union
+
+from pydantic import Field
 
 from _nebari import constants
 from _nebari.provider.dns.cloudflare import update_record
@@ -112,27 +115,33 @@ def _attempt_dns_lookup(
  sys.exit(1)
 
 
-@schema.yaml_object(schema.yaml)
-class CertificateEnum(str, enum.Enum):
- letsencrypt = "lets-encrypt"
- selfsigned = "self-signed"
- existing = "existing"
- disabled = "disabled"
-
- @classmethod
- def to_yaml(cls, representer, node):
- return representer.represent_str(node.value)
+class SelfSignedCertificate(schema.Base):
+ type: Literal["self-signed"] = Field("self-signed", validate_default=True)
 
 
-class Certificate(schema.Base):
- type: CertificateEnum = CertificateEnum.selfsigned
- # existing
- secret_name: Optional[str] = None
- # lets-encrypt
- acme_email: Optional[str] = None
+class LetsEncryptCertificate(schema.Base):
+ type: Literal["lets-encrypt"] = Field("lets-encrypt", validate_default=True)
+ acme_email: str
  acme_server: str = "https://acme-v02.api.letsencrypt.org/directory"
 
 
+class ExistingCertificate(schema.Base):
+ type: Literal["existing"] = Field("existing", validate_default=True)
+ secret_name: str
+
+
+class DisabledCertificate(schema.Base):
+ type: Literal["disabled"] = Field("disabled", validate_default=True)
+
+
+Certificate = Union[
+ SelfSignedCertificate,
+ LetsEncryptCertificate,
+ ExistingCertificate,
+ DisabledCertificate,
+]
+
+
 class DnsProvider(schema.Base):
  provider: Optional[str] = None
  auto_provision: Optional[bool] = False
@@ -144,7 +153,7 @@ class Ingress(schema.Base):
 
 class InputSchema(schema.Base):
  domain: Optional[str] = None
- certificate: Certificate = Certificate()
+ certificate: Certificate = SelfSignedCertificate()
  ingress: Ingress = Ingress()
  dns: DnsProvider = DnsProvider()
 

diff --git a/src/_nebari/stages/kubernetes_services/template/forward-auth.tf b/src/_nebari/stages/kubernetes_services/template/forward-auth.tf
@@ -7,3 +7,13 @@ module "forwardauth" {
 
  node-group = var.node_groups.general
 }
+
+output "forward-auth-middleware" {
+ description = "middleware name for use with forward auth"
+ value = module.forwardauth.forward-auth-middleware
+}
+
+output "forward-auth-service" {
+ description = "middleware name for use with forward auth"
+ value = module.forwardauth.forward-auth-service
+}
diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf
@@ -144,7 +144,7 @@ resource "kubernetes_manifest" "forwardauth-middleware" {
  apiVersion = "traefik.containo.us/v1alpha1"
  kind = "Middleware"
  metadata = {
- name = "traefik-forward-auth"
+ name = var.forwardauth_middleware_name
  namespace = var.namespace
  }
  spec = {
@@ -175,7 +175,7 @@ resource "kubernetes_manifest" "forwardauth-ingressroute" {
 
  middlewares = [
  {
- name = "traefik-forward-auth"
+ name = kubernetes_manifest.forwardauth-middleware.manifest.metadata.name
  namespace = var.namespace
  }
  ]

diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/variables.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/variables.tf
@@ -26,3 +26,9 @@ variable "node-group" {
  value = string
  })
 }
+
+variable "forwardauth_middleware_name" {
+ description = "Name of the traefik forward auth middleware"
+ type = string
+ default = "traefik-forward-auth"
+}
diff --git a/src/_nebari/subcommands/init.py b/src/_nebari/subcommands/init.py
@@ -106,6 +106,7 @@ class InitInputs(schema.Base):
  ssl_cert_email: Optional[schema.email_pydantic] = None
  disable_prompt: bool = False
  output: pathlib.Path = pathlib.Path("nebari-config.yaml")
+ verbose: bool = False
 
 
 def enum_to_list(enum_cls):
@@ -152,7 +153,7 @@ def handle_init(inputs: InitInputs, config_schema: BaseModel):
  try:
  write_configuration(
  inputs.output,
- config,
+ config if not inputs.verbose else config_schema(**config),
  mode="x",
  )
  except FileExistsError:
@@ -565,6 +566,12 @@ def init(
  "-o",
  help="Output file path for the rendered config file.",
  ),
+ verbose: bool = typer.Option(
+ False,
+ "--verbose",
+ "-v",
+ help="Write verbose nebari config file.",
+ ),
  ):
  """
  Create and initialize your [purple]nebari-config.yaml[/purple] file.
@@ -604,6 +611,7 @@ def init(
  inputs.ssl_cert_email = ssl_cert_email
  inputs.disable_prompt = disable_prompt
  inputs.output = output
+ inputs.verbose = verbose
 
  from nebari.plugins import nebari_plugin_manager
 
@@ -894,6 +902,14 @@ def guided_init_wizard(ctx: typer.Context, guided_init: str):
  )
  inputs.kubernetes_version = kubernetes_version
 
+ # VERBOSE
+ inputs.verbose = questionary.confirm(
+ "Would you like the nebari config to show all available options? (recommended for advanced users only)",
+ default=False,
+ qmark=qmark,
+ auto_enter=False,
+ ).unsafe_ask()
+
  from nebari.plugins import nebari_plugin_manager
 
  config_schema = nebari_plugin_manager.config_schema

diff --git a/src/nebari/plugins.py b/src/nebari/plugins.py
@@ -124,11 +124,32 @@ def ordered_stages(self):
  return self.get_available_stages()
 
  @property
- def config_schema(self):
- classes = [schema.Main] + [
+ def ordered_schemas(self):
+ return [schema.Main] + [
  _.input_schema for _ in self.ordered_stages if _.input_schema is not None
  ]
- return type("ConfigSchema", tuple(classes), {})
+
+ @property
+ def config_schema(self):
+ ordered_schemas = self.ordered_schemas
+
+ def write_config(self):
+ config_exclude = set()
+ for cls in self._ordered_schemas:
+ if hasattr(cls, "exclude_from_config"):
+ new_exclude = cls.exclude_from_config(self)
+ config_exclude = config_exclude.union(new_exclude)
+ return self.model_dump(exclude=config_exclude)
+
+ ConfigSchema = type(
+ "ConfigSchema",
+ tuple(ordered_schemas[::-1]),
+ {
+ "_ordered_schemas": ordered_schemas,
+ "write_config": write_config,
+ },
+ )
+ return ConfigSchema
 
 
 nebari_plugin_manager = NebariPluginManager()