Oauth2 proxy support for atlantis ingress

[roytev]

Hi! in order to access Atlantis ui i wanted SSO with github and limit the access to specific team members in our organization today is not possible OutOfTheBox, what i've done is deploying https://oauth2-proxy.github.io/oauth2-proxy/ what im thinking is to introduce built in support for that inside the helm chart as a sidecar or additional deployment

What do you think?

[jamengual]

+1 to that, a lot of people have to do that by themselves so this could be a cool addition

[bschaatsbergen]

Awesome idea!

[jseiser]

I dont think this should be bundled in, as its not a core part of atlantis. Configuring OATH support, is already available OOTB, and we do it today.

ingress:
  enabled: true
  ingressClassName: nginx-external
  annotations:
    nginx.ingress.kubernetes.io/service-upstream: "true"
    cert-manager.io/cluster-issuer: cert-manager-r53-prod
    nginx.ingress.kubernetes.io/auth-signin: "https://vouch-ops-${env}.xxx.network/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err"
    nginx.ingress.kubernetes.io/auth-url: https://vouch-ops-${env}.xxx.network/validate
    nginx.ingress.kubernetes.io/auth-response-headers: X-Vouch-User
    nginx.ingress.kubernetes.io/auth-snippet: |
      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
  host: atlantis-ops-dev.xxx.network
  path: /
  tls:
    - secretName: atlantis-prod-tls
      hosts:
        - atlantis-ops-dev.xxx.network
webhook_ingress:
  enabled: true
  ingressClassName: nginx-internal
  annotations:
    nginx.ingress.kubernetes.io/service-upstream: "true"
    cert-manager.io/cluster-issuer: cert-manager-r53-prod
  host: atlantis-webhook-ops-dev.xxx.network
  path: /events
  tls:
    - secretName: atlantis-webhook-dev-tls
      hosts:
        - atlantis-webhook-ops-dev.xxx.network

Spending time to hard code oath2 proxy, just means you have to maintain that it works moving forward.

[roytev]

Hi @jseiser You are right its supported with Nginx ingress controller if you deploy oauth2 proxy(https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/) some of the users really don't need this feature baked in the helm chart. but still i think for users that are getting started with Atlantis its a welcomed feature in my use case i use ALB ingress which also have oauth feature but its very limited so i deployed oauth2 proxy and wired it myself.

[mk-placer]

we can implement it as sidecar with minimal effort like on jaeger chart. https://github.com/jaegertracing/helm-charts/blob/21f1f4cc54be4db30d80c25646210aaa37fbcab1/charts/jaeger/values.yaml#L533 i using it and it works fine

[jamengual]

@GenPage @GMartinez-Sisti, what do you guys think?

[GMartinez-Sisti]

@GenPage @GMartinez-Sisti, what do you guys think?

The project has a lot of stars, the correct license and great support for authentication providers. I don't oppose adding it, however, as soon as we add it, we need to ensure it keeps working and we're going to get question when someone doesn't get the config right, so we need to set the expectations from the start.

Creating a wrapper chart that would include atlantis and oauth2-proxy would be a common approach for most, so maybe we can add an examples folder with integrations and don't have to maintain anything extra.

[roytev]

I can add what I’ve done to the examples