clean k8s credential handling and fix variable names

src/_nebari/stages/infrastructure/__init__.py

@@ -107,7 +107,7 @@ class AzureRBAC(schema.Base):
     """
 
     enabled: bool
-    managed: bool
+    managed_identity: bool
     admin_group_object_ids: List[str]
 
 

src/_nebari/stages/infrastructure/template/azure/modules/credentials/outputs.tf

@@ -0,0 +1,12 @@
+output "credentials" {
+  description = "Credentials required for connecting to Kubernetes cluster"
+  sensitive   = true
+  value = {
+    endpoint               = var.azure_rbac_enabled ? var.kube_admin_config.host : var.kube_config.host
+    username               = var.azure_rbac_enabled ? var.kube_admin_config.username : var.kube_config.username
+    password               = var.azure_rbac_enabled ? var.kube_admin_config.password : var.kube_config.password
+    client_certificate     = var.azure_rbac_enabled ? base64decode(var.kube_admin_config.client_certificate) : base64decode(var.kube_config.client_certificate)
+    client_key             = var.azure_rbac_enabled ? base64decode(var.kube_admin_config.client_key) : base64decode(var.kube_config.client_key)
+    cluster_ca_certificate = var.azure_rbac_enabled ? base64decode(var.kube_admin_config.cluster_ca_certificate) : base64decode(var.kube_config.cluster_ca_certificate)
+  }
+}

src/_nebari/stages/infrastructure/template/azure/modules/credentials/variables.tf

@@ -0,0 +1,16 @@
+variable "azure_rbac_enabled" {
+  description = "Flag to enable Azure RBAC"
+  type        = bool
+}
+
+variable "kube_admin_config" {
+  description = "Kube admin config for RBAC"
+  type        = any
+  sensitive   = true
+}
+
+variable "kube_config" {
+  description = "Kube config for standard access"
+  type        = any
+  sensitive   = true
+}

src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf

@@ -1,4 +1,4 @@
-data "azure_client_config" "current" {
+data "azurerm_client_config" "current" {
   count = var.azure_rbac.enabled ? 1 : 0
 }
 
@@ -68,10 +68,10 @@ resource "azurerm_kubernetes_cluster" "main" {
   dynamic "azure_active_directory_role_based_access_control" {
     for_each = var.azure_rbac.enabled ? [var.azure_rbac] : []
     content {
-      azure_rbac_enabled     = var.azure_rbac.azure_rbac_enabled
+      azure_rbac_enabled     = var.azure_rbac.enabled
       admin_group_object_ids = var.azure_rbac.admin_group_object_ids
-      tenant_id              = data.azure_client_config.current[0].tenant_id
-      managed                = var.azure_rbac.managed
+      tenant_id              = data.azurerm_client_config.current[0].tenant_id
+      managed                = var.azure_rbac.managed_identity
     }
   }
 }

src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/outputs.tf

@@ -1,20 +1,20 @@
+module "k8s_credentials" {
+  source             = "../credentials"
+  azure_rbac_enabled = var.azure_rbac.enabled
+  kube_admin_config  = azurerm_kubernetes_cluster.main.kube_admin_config[0]
+  kube_config        = azurerm_kubernetes_cluster.main.kube_config[0]
+}
+
 output "credentials" {
   description = "Credentials required for connecting to Kubernetes cluster"
   sensitive   = true
-  value = {
-    endpoint               = var.azure_rbac.enable ? azurerm_kubernetes_cluster.main.kube_admin_config.0.host : azurerm_kubernetes_cluster.main.kube_config.0.host
-    username               = var.azure_rbac.enable ? azurerm_kubernetes_cluster.main.kube_admin_config.0.username : azurerm_kubernetes_cluster.main.kube_config.0.username
-    password               = var.azure_rbac.enable ? azurerm_kubernetes_cluster.main.kube_admin_config.0.password : azurerm_kubernetes_cluster.main.kube_config.0.password
-    client_certificate     = var.azure_rbac.enable ? azurerm_kubernetes_cluster.main.kube_admin_config.0.client_certificate : azurerm_kubernetes_cluster.main.kube_config.0.client_certificate
-    client_key             = var.azure_rbac.enable ? azurerm_kubernetes_cluster.main.kube_admin_config.0.client_key : azurerm_kubernetes_cluster.main.kube_config.0.client_key
-    cluster_ca_certificate = var.azure_rbac.enable ? azurerm_kubernetes_cluster.main.kube_admin_config.0.cluster_ca_certificate : azurerm_kubernetes_cluster.main.kube_config.0.cluster_ca_certificate
-  }
+  value       = module.k8s_credentials.credentials
 }
 
 output "kubeconfig" {
   description = "Kubernetes connection kubeconfig"
   sensitive   = true
-  value       = var.azure_rbac.enable ? azurerm_kubernetes_cluster.main.kube_admin_config_raw : azurerm_kubernetes_cluster.main.kube_config_raw
+  value       = var.azure_rbac.enabled ? azurerm_kubernetes_cluster.main.kube_admin_config_raw : azurerm_kubernetes_cluster.main.kube_config_raw
 }
 
 output "cluster_oidc_issuer_url" {

src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf

@@ -81,12 +81,12 @@ variable "azure_rbac" {
   description = "Azure Active Directory Role-Based Access Control (RBAC) integration in a Kubernetes cluster"
   type = object({
     enabled : bool
-    managed : bool
+    managed_identity : bool
     admin_group_object_ids : list(string)
   })
   default = {
     enabled : false
-    managed : false
+    managed_identity : false
     admin_group_object_ids : []
   }
 }

src/_nebari/stages/infrastructure/template/azure/variables.tf

@@ -87,12 +87,12 @@ variable "azure_rbac" {
   description = "Azure Active Directory Role-Based Access Control (RBAC) integration in a Kubernetes cluster"
   type = object({
     enabled : bool
-    managed : bool
+    managed_identity : bool
     admin_group_object_ids : list(string)
   })
   default = {
     enabled : false
-    managed : false
+    managed_identity : false
     admin_group_object_ids : []
   }
 }