Github App webook doesn't work when basicAuth is enabled

[robmonct]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

Github App webook doesn't work when basicAuth is enabled

Reproduction Steps

Atlantis installation through Helm chart (version 4.8.1) with Atlantis version (v0.21.0)

Logs

Logs into Github App > Advanced

Response 502

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>502 Server Error</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Server Error</h1>
<h2>The server encountered a temporary error and could not complete your request.<p>Please try again in 30 seconds.</h2>
<h2></h2>
</body></html>

Environment details

• Atlantis Helm Chart 4.8.1
• Atlantis version: v0.21.0
• values.yaml

  image:
    repository: <private_repo>
    tag: v0.21.0
    pullPolicy: Always

  containerSecurityContext:
    runAsNonRoot: true
    allowPrivilegeEscalation: false

  service:
    type: NodePort

  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: "gce"
      kubernetes.io/ingress.global-static-ip-name: "******"
      networking.gke.io/managed-certificates: "******"
      cloud.google.com/frontend-config: "******"
      cloud.google.com/backend-config: "******"
    path: "/events"
    pathType: ImplementationSpecific
    host: ******

  repoConfig: |
    ---
    # repos lists the config for specific repos.
    repos:
      # id can either be an exact repo ID or a regex.
      # If using a regex, it must start and end with a slash.
      # Repo ID's are of the form {VCS hostname}/{org}/{repo name}, ex.
      # github.com/runatlantis/atlantis.
    - id: /.*/
      apply_requirements: [approved, mergeable]
      allow_custom_workflows: true
      allowed_overrides: [workflow]

  orgAllowlist: ******
  serviceAccount:
    create: true

  googleServiceAccountSecrets:
    - name: ******
      secretName: ******

  resources:
    requests:
      memory: 2Gi
      cpu: 2000m
    limits:
      memory: 6Gi
      cpu: 4000m

  dataStorage: 30Gi
  githubApp:
    id: ******
    key: |
      ******
    secret: ******

  environment:
    ATLANTIS_AUTOMERGE: true
    GOOGLE_APPLICATION_CREDENTIALS: "******"

  environmentSecrets:
    - name: GITHUB_TOKEN
      secretKeyRef:
        name: ******
        key: ******

  extraManifests:
    - apiVersion: networking.gke.io/v1
      kind: ManagedCertificate
      metadata:
        name: ******
        namespace: ******
      spec:
        domains:
          - ******

    - apiVersion: networking.gke.io/v1beta1
      kind: FrontendConfig
      metadata:
        name: ******
      spec:
        redirectToHttps:
          enabled: true
          responseCodeName: PERMANENT_REDIRECT

    - apiVersion: cloud.google.com/v1
      kind: BackendConfig
      metadata:
        name: ******
        namespace: ******
      spec:
        iap:
          enabled: false
          oauthclientCredentials:
            secretName: ******

  # basicAuth:
  #   username: "checkoutanywhere"
  #   password: "XtFM6A&REjAzejFE"

Additional Context

[krrrr38]

@robmonct If webhook requires basic auth, atlantis server returns 401. Even if enable basic auth on atlantis, /events endpoint doesn't need basic auth. I guess 502 returns GCP load balancer, not atlantis. Could you check your proxy settings?

[robmonct]

We solved with a workaround, thanks.

[nitrocode]

@robmonct please include your workaround for others. It would also help to know what it is in case we need to add to our documentation

[robmonct]

Yes, of course. We expose publicly /events to work with Github. And we have configured GCP IAP to access to Atlantis UI.

[nitrocode]

@robmonct this terraform module may have automated this situation already

https://github.com/bschaatsbergen/terraform-gce-atlantis

[robmonct]

Thank you. We use GKE but maybe we can use it. I will take a look.