Open roytev opened 11 months ago
+1 to that, a lot of people have to do that by themselves so this could be a cool addition
Awesome idea!
I dont think this should be bundled in, as its not a core part of atlantis. Configuring OATH support, is already available OOTB, and we do it today.
ingress:
enabled: true
ingressClassName: nginx-external
annotations:
nginx.ingress.kubernetes.io/service-upstream: "true"
cert-manager.io/cluster-issuer: cert-manager-r53-prod
nginx.ingress.kubernetes.io/auth-signin: "https://vouch-ops-${env}.xxx.network/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err"
nginx.ingress.kubernetes.io/auth-url: https://vouch-ops-${env}.xxx.network/validate
nginx.ingress.kubernetes.io/auth-response-headers: X-Vouch-User
nginx.ingress.kubernetes.io/auth-snippet: |
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
host: atlantis-ops-dev.xxx.network
path: /
tls:
- secretName: atlantis-prod-tls
hosts:
- atlantis-ops-dev.xxx.network
webhook_ingress:
enabled: true
ingressClassName: nginx-internal
annotations:
nginx.ingress.kubernetes.io/service-upstream: "true"
cert-manager.io/cluster-issuer: cert-manager-r53-prod
host: atlantis-webhook-ops-dev.xxx.network
path: /events
tls:
- secretName: atlantis-webhook-dev-tls
hosts:
- atlantis-webhook-ops-dev.xxx.network
Spending time to hard code oath2 proxy, just means you have to maintain that it works moving forward.
Hi @jseiser You are right its supported with Nginx ingress controller if you deploy oauth2 proxy(https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/) some of the users really don't need this feature baked in the helm chart. but still i think for users that are getting started with Atlantis its a welcomed feature in my use case i use ALB ingress which also have oauth feature but its very limited so i deployed oauth2 proxy and wired it myself.
we can implement it as sidecar with minimal effort like on jaeger chart. https://github.com/jaegertracing/helm-charts/blob/21f1f4cc54be4db30d80c25646210aaa37fbcab1/charts/jaeger/values.yaml#L533 i using it and it works fine
@GenPage @GMartinez-Sisti, what do you guys think?
@GenPage @GMartinez-Sisti, what do you guys think?
The project has a lot of stars, the correct license and great support for authentication providers. I don't oppose adding it, however, as soon as we add it, we need to ensure it keeps working and we're going to get question when someone doesn't get the config right, so we need to set the expectations from the start.
Creating a wrapper chart that would include atlantis and oauth2-proxy would be a common approach for most, so maybe we can add an examples folder with integrations and don't have to maintain anything extra.
I can add what I’ve done to the examples
Hi! in order to access Atlantis ui i wanted SSO with github and limit the access to specific team members in our organization today is not possible OutOfTheBox, what i've done is deploying https://oauth2-proxy.github.io/oauth2-proxy/ what im thinking is to introduce built in support for that inside the helm chart as a sidecar or additional deployment
What do you think?