Open PatrickLaabs opened 1 year ago
the atlantis webhook /events
route itself is protected with token-based auth so terraform will not execute any plans or applies without github/gitlab client authorization. we'll look into what it will take to remove the locks ui altogether. thanks for this feature request.
Atlantis recently added a feature that will make it easier to implement this https://www.runatlantis.io/docs/security.html#enable-authentication-on-atlantis-web-server
What would you like to be added: As a maintainer I'd like to have the exposed Services, which are reachable from the web, being more secured. Currently the Atlantis website is open for everyone, and everyone is able to hit the button to Dis- and enable the 'apply commands' directly from the UI.
Initially, I guess, it's ok to to workaround with NGINX Whitelist Feature. https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#whitelist-source-range
In the long-run, it could be wise to integrate it more to vault. Like it is currently with ArgoCD, and so on.
PS: This Feature is not fully qualified in its description. One might add more technicial details.
Why is this needed: Since the overall provisioning of the Cluster is about production-grade readiness, an exposed website should not be accessible without some sort of login features. At least it brings some good feeling for the end-user and decision makers.