Closed atlantisbot closed 2 years ago
atlantisbot
commented
6 years ago 
Are you asking about building Atlantis as a GitHub OAuth app (https://developer.github.com/apps/building-oauth-apps/) instead of adding it as a webhook?
Also, can you elaborate on what you mean by using OAuth to authenticate users to Atlantis? Just trying to understand.
atlantisbot
commented
6 years ago 
I think the ask is to make sure that atlantis is only available to specific users. We do the same thing with our Jenkins, you authenticate to Jenkins with your github credentials and if you are not part of the org or users specified you are denied access.
MrSaints
commented
6 years ago As a temporary solution https://github.com/bitly/oauth2_proxy
lkysow
commented
6 years ago @MrSaints thanks that looks promising. When #136 is worked on it should include something like this. Are you doing it yourself?
MrSaints
commented
6 years ago Yes - we opted for deploying Atlantis using Docker on a single VM (no Kubernetes). We managed to get it working on Kubernetes too, but decided to keep it simple. Everything can be bootstrapped in a relatively small cloudinit script.
lkysow
commented
6 years ago For others looking at this, you can also whitelist requests from Github/Gitlab/Bitbucket IP addresses:
NicholasGWK
commented
5 years ago Sorry if this is the wrong place to post, but I was wondering if there's a good explanation somewhere of the security concerns / capabilities of the Atlantis UI?
I wasn't able to find anything in the docs about how locked down it should be, or if people are mostly just using basic auth etc. If all you can do dismiss locks it's probably fine to be somewhat public, but just curious if there are other implications!
Thanks, loving Atlantis so far!
Nick
lkysow
commented
5 years ago Hi Nick, I've just created https://github.com/runatlantis/atlantis/issues/485 to add some documentation around this.
You're right that all it's used for is to dismiss locks, however given that Atlantis is often deployed with important credentials, I would definitely want to lock it down. This would protect against something like an exploit in the gin http framework Atlantis uses.
NicholasGWK
commented
5 years ago Awesome! Thanks a ton for responding so quickly, looking forward to the docs :)
chenrui333
commented
5 years ago I submit a new issue, it might be quite similar to this, or might involved with more efforts in terms of integration efforts.
jimmyjamesbaldwin
commented
4 years ago Just wondering - have there been any updates on this (ability to lock down the UI)? Even something relatively simple like basic auth would be quite handy.
bitfield
commented
4 years ago I would also find it really useful to be able to simply turn on basic auth using a setting in values.yaml. This is currently a blocker for clients considering adopting Atlantis, as they otherwise have no way of securing the front end.
lkysow
commented
4 years ago Why is it a blocker? They (or you) need to front Atlantis with nginx or something to handle the auth. If you're in Kubernetes this should be doable with a sidecar container.
Yes it would be nice to have it built in. PRs are welcome.
crisp2u
commented
4 years ago @bitfield I implemented a custom docker with nginx but it's a bit messy. I'll try to give oauth2_proxy a test and maybe come back with a dockerfile
bitfield
commented
4 years ago Why is it a blocker? They (or you) need to front Atlantis with nginx or something to handle the auth.
It's not that it couldn't be done with some engineering time. But that's exactly what's at a premium. They want something that's built-in, controlled by a setting in a YAML file.
As a matter of fact adding basic auth wasn't as hard as I feared it might be. All I needed to do to add basic auth to the Atlantis front end was to create the required secret, as described here: https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
and add the following to values.yaml:
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"This seems like it's something that would be great to add to the docs!
lkysow
commented
4 years ago Nice! I'd suggest adding it as a PR here: https://github.com/runatlantis/atlantis/blob/master/runatlantis.io/docs/security.md
blacksd
commented
3 years ago I think that the correct way to do it should be:
/events path into the applicationbasic-auth or oauth2_proxy protected Ingress to route all the paths / I'd like to contribute to the Helm chart about this.
ayk33
commented
3 years ago I think that the correct way to do it should be:
- define an unauthenticated Ingress routing only the
/eventspath into the application- create a separate,
basic-authoroauth2_proxyprotected Ingress to route all the paths/I'd like to contribute to the Helm chart about this.
How would you achieve this with the ingress though? Can you have basic auth limited to specific path or rule?
blacksd
commented
3 years ago @ayk33 I think you can, if you narrow down the ingress to a single path. Then you make a second one with the unrestricted paths.
ayk33
commented
3 years ago @blacksd ahh okay yeah that makes sense. I was trying to figure out how to do it with 1 ingress. Alright this would definitely require a change to the helm chart.
jamengual
commented
2 years ago atalntis now supports basic auth and an oauth proxy can deploy on front if needed.
jmreicha
commented
1 year ago Is there an example of the oauth proxy sidecar config? Might be worth adding to docs, I would be happy to add it.
jamengual
commented
1 year ago https://github.com/runatlantis/atlantis/issues/485
the deployment is dependent on if you use ECS, K8s, EKS, or others but basically, anything that is not /events will need to be sent to the proxy.
It would be great if we can have Oauth callback ability in Atlantis. That would avoid us from being relying on our own HTTP auth methods and rather just use GitHub OAuth to authenticate users to Atlantis. I looked at closed and open issues but didn't find any issues in regards to OAuth. Can you throw some light on this?
Thanks