Workload identity

pyproject.toml

@@ -136,21 +136,23 @@ module = [
 ignore_missing_imports = true
 
 [tool.ruff]
+extend-exclude = [
+    "src/_nebari/template",
+    "home",
+    "__pycache__"
+]
+
+[tool.ruff.lint]
 select = [
-    "E",
-    "F",
-    "PTH",
+    "E",  # E: pycodestyle rules
+    "F",  # F: pyflakes rules
+    "PTH",  # PTH: flake8-use-pathlib rules
 ]
 ignore = [
     "E501", # Line too long
     "F821", # Undefined name
     "PTH123", # open() should be replaced by Path.open()
 ]
-extend-exclude = [
-    "src/_nebari/template",
-    "home",
-    "__pycache__"
-]
 
 [tool.coverage.run]
 branch = true

src/_nebari/stages/infrastructure/__init__.py

@@ -112,6 +112,7 @@ class AzureInputVars(schema.Base):
     tags: Dict[str, str] = {}
     max_pods: Optional[int] = None
     network_profile: Optional[Dict[str, str]] = None
+    workload_identity_enabled: bool = False
 
 
 class AWSNodeGroupInputVars(schema.Base):
@@ -380,6 +381,7 @@ class AzureProvider(schema.Base):
     tags: Optional[Dict[str, str]] = {}
     network_profile: Optional[Dict[str, str]] = None
     max_pods: Optional[int] = None
+    workload_identity_enabled: bool = False
 
     @model_validator(mode="before")
     @classmethod
@@ -781,6 +783,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
                 tags=self.config.azure.tags,
                 network_profile=self.config.azure.network_profile,
                 max_pods=self.config.azure.max_pods,
+                workload_identity_enabled=self.config.azure.workload_identity_enabled,
             ).model_dump()
         elif self.config.provider == schema.ProviderEnum.aws:
             return AWSInputVars(

src/_nebari/stages/infrastructure/template/azure/main.tf

@@ -40,6 +40,7 @@ module "kubernetes" {
       max_size      = config.max_nodes
     }
   ]
-  vnet_subnet_id          = var.vnet_subnet_id
-  private_cluster_enabled = var.private_cluster_enabled
+  vnet_subnet_id            = var.vnet_subnet_id
+  private_cluster_enabled   = var.private_cluster_enabled
+  workload_identity_enabled = var.workload_identity_enabled
 }

src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf

@@ -5,6 +5,10 @@ resource "azurerm_kubernetes_cluster" "main" {
   resource_group_name = var.resource_group_name
   tags                = var.tags
 
+  # To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.
+  oidc_issuer_enabled       = var.workload_identity_enabled
+  workload_identity_enabled = var.workload_identity_enabled
+
   # DNS prefix specified when creating the managed cluster. Changing this forces a new resource to be created.
   dns_prefix = "Nebari" # required
 

src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/outputs.tf

@@ -17,3 +17,13 @@ output "kubeconfig" {
   sensitive   = true
   value       = azurerm_kubernetes_cluster.main.kube_config_raw
 }
+
+output "cluster_oidc_issuer_url" {
+  description = "The OpenID Connect issuer URL that is associated with the AKS cluster"
+  value       = azurerm_kubernetes_cluster.main.oidc_issuer_url
+}
+
+output "resource_group_name" {
+  description = "The name of the resource group in which the AKS cluster is created"
+  value       = azurerm_kubernetes_cluster.main.resource_group_name
+}

src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf

@@ -70,3 +70,9 @@ variable "max_pods" {
   type        = number
   default     = 60
 }
+
+variable "workload_identity_enabled" {
+  description = "Enable Workload Identity"
+  type        = bool
+  default     = false
+}

src/_nebari/stages/infrastructure/template/azure/outputs.tf

@@ -22,3 +22,13 @@ output "kubeconfig_filename" {
   description = "filename for nebari kubeconfig"
   value       = var.kubeconfig_filename
 }
+
+output "cluster_oidc_issuer_url" {
+  description = "The OpenID Connect issuer URL that is associated with the AKS cluster"
+  value       = module.kubernetes.cluster_oidc_issuer_url
+}
+
+output "resource_group_name" {
+  description = "The name of the resource group in which the AKS cluster is created"
+  value       = module.kubernetes.resource_group_name
+}

src/_nebari/stages/infrastructure/template/azure/variables.tf

@@ -76,3 +76,9 @@ variable "max_pods" {
   type        = number
   default     = 60
 }
+
+variable "workload_identity_enabled" {
+  description = "Enable Workload Identity"
+  type        = bool
+  default     = false
+}

src/_nebari/stages/kubernetes_services/template/forward-auth.tf

@@ -7,3 +7,13 @@ module "forwardauth" {
 
   node-group = var.node_groups.general
 }
+
+output "forward-auth-middleware" {
+  description = "middleware name for use with forward auth"
+  value       = module.forwardauth.forward-auth-middleware
+}
+
+output "forward-auth-service" {
+  description = "middleware name for use with forward auth"
+  value       = module.forwardauth.forward-auth-service
+}

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/main.tf

@@ -144,7 +144,7 @@ resource "kubernetes_manifest" "forwardauth-middleware" {
     apiVersion = "traefik.containo.us/v1alpha1"
     kind       = "Middleware"
     metadata = {
-      name      = "traefik-forward-auth"
+      name      = var.forwardauth_middleware_name
       namespace = var.namespace
     }
     spec = {
@@ -175,7 +175,7 @@ resource "kubernetes_manifest" "forwardauth-ingressroute" {
 
           middlewares = [
             {
-              name      = "traefik-forward-auth"
+              name      = kubernetes_manifest.forwardauth-middleware.manifest.metadata.name
               namespace = var.namespace
             }
           ]

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/outputs.tf

@@ -0,0 +1,13 @@
+output "forward-auth-middleware" {
+  description = "middleware name for use with forward auth"
+  value = {
+    name = kubernetes_manifest.forwardauth-middleware.manifest.metadata.name
+  }
+}
+
+output "forward-auth-service" {
+  description = "middleware name for use with forward auth"
+  value = {
+    name = kubernetes_service.forwardauth-service.metadata.0.name
+  }
+}

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/forwardauth/variables.tf

@@ -26,3 +26,9 @@ variable "node-group" {
     value = string
   })
 }
+
+variable "forwardauth_middleware_name" {
+  description = "Name of the traefik forward auth middleware"
+  type        = string
+  default     = "traefik-forward-auth"
+}