Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oauth2 proxy support for atlantis ingress #330

Open
roytev opened this issue Nov 10, 2023 · 10 comments · May be fixed by #440
Open

Oauth2 proxy support for atlantis ingress #330

roytev opened this issue Nov 10, 2023 · 10 comments · May be fixed by #440
Labels
documentation Improvements or additions to documentation

Comments

@roytev
Copy link
Contributor

roytev commented Nov 10, 2023

Hi!
in order to access Atlantis ui i wanted SSO with github and limit the access to specific team members in our organization today is not possible OutOfTheBox, what i've done is deploying https://oauth2-proxy.github.io/oauth2-proxy/
what im thinking is to introduce built in support for that inside the helm chart as a sidecar or additional deployment

What do you think?
@jamengual
Copy link
Contributor

+1 to that, a lot of people have to do that by themselves so this could be a cool addition

@bschaatsbergen
Copy link
Member

Awesome idea!

@jseiser
Copy link
Contributor

jseiser commented Nov 16, 2023

I dont think this should be bundled in, as its not a core part of atlantis. Configuring OATH support, is already available OOTB, and we do it today.

ingress:
  enabled: true
  ingressClassName: nginx-external
  annotations:
    nginx.ingress.kubernetes.io/service-upstream: "true"
    cert-manager.io/cluster-issuer: cert-manager-r53-prod
    nginx.ingress.kubernetes.io/auth-signin: "https://vouch-ops-${env}.xxx.network/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err"
    nginx.ingress.kubernetes.io/auth-url: https://vouch-ops-${env}.xxx.network/validate
    nginx.ingress.kubernetes.io/auth-response-headers: X-Vouch-User
    nginx.ingress.kubernetes.io/auth-snippet: |
      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
  host: atlantis-ops-dev.xxx.network
  path: /
  tls:
    - secretName: atlantis-prod-tls
      hosts:
        - atlantis-ops-dev.xxx.network
webhook_ingress:
  enabled: true
  ingressClassName: nginx-internal
  annotations:
    nginx.ingress.kubernetes.io/service-upstream: "true"
    cert-manager.io/cluster-issuer: cert-manager-r53-prod
  host: atlantis-webhook-ops-dev.xxx.network
  path: /events
  tls:
    - secretName: atlantis-webhook-dev-tls
      hosts:
        - atlantis-webhook-ops-dev.xxx.network

Spending time to hard code oath2 proxy, just means you have to maintain that it works moving forward.

@roytev
Copy link
Contributor Author

roytev commented Nov 16, 2023

Hi @jseiser You are right its supported with Nginx ingress controller if you deploy oauth2 proxy(https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/) some of the users really don't need this feature baked in the helm chart.
but still i think for users that are getting started with Atlantis its a welcomed feature
in my use case i use ALB ingress which also have oauth feature but its very limited so i deployed oauth2 proxy and wired it myself.

@mk-placer
Copy link

we can implement it as sidecar with minimal effort like on jaeger chart.
https://github.com/jaegertracing/helm-charts/blob/21f1f4cc54be4db30d80c25646210aaa37fbcab1/charts/jaeger/values.yaml#L533
i using it and it works fine

@jamengual
Copy link
Contributor

@GenPage @GMartinez-Sisti, what do you guys think?

@GMartinez-Sisti
Copy link
Member

@GenPage @GMartinez-Sisti, what do you guys think?

The project has a lot of stars, the correct license and great support for authentication providers. I don't oppose adding it, however, as soon as we add it, we need to ensure it keeps working and we're going to get question when someone doesn't get the config right, so we need to set the expectations from the start.

Creating a wrapper chart that would include atlantis and oauth2-proxy would be a common approach for most, so maybe we can add an examples folder with integrations and don't have to maintain anything extra.

@roytev
Copy link
Contributor Author

roytev commented Nov 17, 2023

I can add what I’ve done to the examples

@GMartinez-Sisti GMartinez-Sisti added the documentation Improvements or additions to documentation label May 4, 2024
@DrummyFloyd
Copy link

do this issue is still up ?
if yes i can create the related PR to add the sidecar oauth like in jaegger chart

@jamengual
Copy link
Contributor

jamengual commented Dec 8, 2024 via email

@DrummyFloyd DrummyFloyd linked a pull request Dec 11, 2024 that will close this issue
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(oauth2-proxy): add sidecar oauth2-proxy DrummyFloyd/atlantis-chart
7 participants
@jamengual @jseiser @GMartinez-Sisti @roytev @DrummyFloyd @bschaatsbergen @mk-placer