feat(deploy): integrate Azure Key Vault secrets sync via CSI driver (#32)

Author: agreaves-ms

README.md

@@ -26,7 +26,7 @@ The infrastructure deploys an AKS cluster with GPU node pools running the NVIDIA
 | Private Endpoints | Secure access to Azure services (7 endpoints, 11+ DNS zones) |
 | AKS Cluster | Kubernetes with GPU Spot node pools and Workload Identity |
 | Key Vault | Secrets management with RBAC authorization |
-| Azure ML Workspace | Experiment tracking, model registry, compute management |
+| Azure ML Workspace | Experiment tracking, model registry |
 | Storage Account | Training data, checkpoints, and workflow artifacts |
 | Container Registry | Training and OSMO container images |
 | Azure Monitor | Log Analytics, Prometheus metrics, Managed Grafana |
@@ -88,25 +88,14 @@ OSMO orchestration on Azure enables production-scale robotics training across in
 ### 1. Deploy Infrastructure
 
 ```bash
-# Set subscription for Terraform
-source deploy/000-prerequisites/az-sub-init.sh
-
-# Register providers (new subscriptions only)
-./deploy/000-prerequisites/register-azure-providers.sh
-
 cd deploy/001-iac
-
-# Create terraform.tfvars with your values
-cat > terraform.tfvars << 'EOF'
-environment     = "dev"
-resource_prefix = "robotst"       # Your prefix (3-8 chars)
-location        = "eastus2"   # Azure region with GPU quota
-EOF
-
-terraform init && terraform apply
+source ../000-prerequisites/az-sub-init.sh
+cp terraform.tfvars.example terraform.tfvars
+# Edit terraform.tfvars with your values
+terraform init && terraform apply -var-file=terraform.tfvars
 ```
 
-For optional VPN deployment and additional configuration, see [deploy/001-iac/README.md](deploy/001-iac/README.md).
+For VPN, automation, and additional configuration, see [deploy/001-iac/README.md](deploy/001-iac/README.md).
 
 ### 2. Configure Cluster
 
@@ -172,7 +161,7 @@ az aks get-credentials --resource-group <rg> --name <aks>
 ./scripts/submit-azureml-validation.sh --model-name my-policy --stream
 ```
 
-> **Tip**: Run `./scripts/submit-*-training.sh --help` for all available options.
+> **Tip**: Run any script with `--help` for all available options.
 
 ## 🔐 Deployment Scenarios
 
@@ -189,17 +178,17 @@ See [002-setup/README.md](deploy/002-setup/README.md) for detailed instructions.
 ```text
 .
 ├── deploy/
-│   ├── 000-prerequisites/    # Validation scripts
-│   ├── 001-iac/              # Terraform infrastructure
-│   └── 002-setup/            # Cluster configuration scripts
+│   ├── 000-prerequisites/              # Azure CLI and provider setup
+│   ├── 001-iac/                        # Terraform infrastructure
+│   └── 002-setup/                      # Cluster configuration scripts
 ├── scripts/
-│   ├── submit-azureml-*.sh   # AzureML job submission
-│   └── submit-osmo-*.sh      # OSMO workflow submission
+│   ├── submit-azureml-*.sh             # AzureML job submission
+│   └── submit-osmo-*.sh                # OSMO workflow submission
 ├── workflows/
-│   ├── azureml/              # AzureML job templates
-│   └── osmo/                 # OSMO workflow templates
-├── src/training/             # Training code
-└── docs/                     # Additional documentation
+│   ├── azureml/                        # AzureML job templates
+│   └── osmo/                           # OSMO workflow templates
+├── src/training/                       # Training code
+└── docs/                               # Additional documentation
 ```
 
 ## 📖 Documentation

deploy/000-prerequisites/README.md

@@ -2,14 +2,14 @@
 
 Azure CLI initialization and subscription setup for Terraform deployments.
 
-## Scripts
+## 📜 Scripts
 
 | Script | Purpose |
 |--------|---------|
 | `az-sub-init.sh` | Azure login and `ARM_SUBSCRIPTION_ID` export |
 | `register-azure-providers.sh` | Register required Azure resource providers |
 
-## Usage
+## 🚀 Usage
 
 Source the initialization script to set `ARM_SUBSCRIPTION_ID` for Terraform:
 
@@ -33,7 +33,7 @@ For new Azure subscriptions or subscriptions that haven't deployed AKS, AzureML,
 
 The script reads providers from `robotics-azure-resource-providers.txt` and waits for registration to complete. This is a one-time operation per subscription.
 
-## What It Does
+## ⚙️ What It Does
 
 ### az-sub-init.sh
 
@@ -50,6 +50,6 @@ The subscription ID is required by Terraform's Azure provider when not running i
 3. Registers unregistered providers
 4. Polls until all providers reach `Registered` state
 
-## Next Step
+## ➡️ Next Step
 
 After initialization, proceed to [001-iac](../001-iac/) to deploy infrastructure.