Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: disable basic auth by default #103

Merged
merged 1 commit into from
Dec 10, 2021
Merged

fix: disable basic auth by default #103

merged 1 commit into from
Dec 10, 2021

Conversation

cilindrox
Copy link
Contributor

Having the default basicAuth block uncommented under values as
introduced in #98 causes this chart to be backwards incompatible with
existing installations.

@cilindrox
fix: disable basic auth by default
44dea93 
Having the default basicAuth block uncommented under values as
introduced in #98causes this chart to be backwards incompatible with
existing installations.
@cilindrox
Copy link
Contributor Author

If this is intended behavior, then I'd argue the readme should be updated with the default values (password, password) or use a randomly generated, somewhat more secure default.

@mcandio
Copy link

mcandio commented Dec 8, 2021

It does not have a boolean field to disable auth.
And the and readiness/livenessprobe are not working because of it.

➜  ~ k describe pod atlantis-0
Name:         atlantis-0
Namespace:    atlantis
Priority:     0
Node:         omitted
Start Time:   Wed, 08 Dec 2021 20:39:33 -0300
Labels:       app=atlantis
              controller-revision-hash=atlantis-7d7f996575
              release=atlantis
              statefulset.kubernetes.io/pod-name=atlantis-0
Annotations:  kubernetes.io/psp: eks.privileged
Status:       Running
IP:           omitted
IPs:
  IP:           omitted
Controlled By:  StatefulSet/atlantis
Containers:
  atlantis:
    Container ID:  omitted
    Image:        omitted.dkr.ecr.us-east-1.amazonaws.com/atlantis:latest
    Image ID:      docker-pullable://omitted.dkr.ecr.us-east-1.amazonaws.com/atlantis@omitted
    Port:          4141/TCP
    Host Port:     0/TCP
    Args:
      server
    State:          Running
      Started:      Wed, 08 Dec 2021 20:39:39 -0300
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     2
      memory:  1Gi
    Requests:
      cpu:      100m
      memory:   1Gi
    Liveness:   http-get http://:4141/healthz delay=5s timeout=5s period=60s #success=1 #failure=5
    Readiness:  http-get http://:4141/healthz delay=5s timeout=5s period=60s #success=1 #failure=5
    Environment:
      ATLANTIS_DISABLE_APPLY_ALL:      true
      ATLANTIS_DEFAULT_TF_VERSION:     1.0.0
      ATLANTIS_LOG_LEVEL:              debug
      ATLANTIS_DATA_DIR:               /atlantis-data
      ATLANTIS_REPO_WHITELIST:        omitted
      ATLANTIS_PORT:                   4141
      ATLANTIS_REPO_CONFIG:            /etc/atlantis/repos.yaml
      ATLANTIS_ATLANTIS_URL:          omitted
      ATLANTIS_GITLAB_USER:            atlantis@omitted
      ATLANTIS_GITLAB_TOKEN:           <set to the key 'gitlab_token' in secret 'atlantis-webhook'>   Optional: false
      ATLANTIS_GITLAB_WEBHOOK_SECRET:  <set to the key 'gitlab_secret' in secret 'atlantis-webhook'>  Optional: false
      ATLANTIS_GITLAB_HOSTNAME:        omitted
      ATLANTIS_WEB_BASIC_AUTH:         true
      ATLANTIS_WEB_USERNAME:           <set to the key 'username' in secret 'atlantis-basic-auth'>  Optional: false
      ATLANTIS_WEB_PASSWORD:           <set to the key 'password' in secret 'atlantis-basic-auth'>  Optional: false
      AWS_DEFAULT_REGION:              us-east-1
      AWS_REGION:                      us-east-1
      AWS_ROLE_ARN:                   omitted
      AWS_WEB_IDENTITY_TOKEN_FILE:     /var/run/secrets/eks.amazonaws.com/serviceaccount/token
    Mounts:
      /atlantis-data from atlantis-data (rw)
      /etc/atlantis/repos.yaml from repo-config (ro,path="repos.yaml")
      /home/atlantis/.aws from aws-volume (ro)
      /var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-nlk98 (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  aws-iam-token:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  86400
  atlantis-data:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  atlantis-data-atlantis-0
    ReadOnly:   false
  aws-volume:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  atlantis-aws
    Optional:    false
  repo-config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      atlantis-repo-config
    Optional:  false
  kube-api-access-nlk98:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   Burstable
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason                  Age   From                     Message
  ----    ------                  ----  ----                     -------
  Normal  Scheduled               38s   default-scheduler        Successfully assigned atlantis/atlantis-0 to ip-10-30-127-108.ec2.internal
  Normal  SuccessfulAttachVolume  35s   attachdetach-controller  AttachVolume.Attach succeeded for volume "pvc-c0ffad72-4771-4cd6-ae8d-1d5157609b82"
  Normal  Pulled                  32s   kubelet                  Container image "omitted.dkr.ecr.us-east-1.amazonaws.com/atlantis:latest" already present on machine
  Normal  Created                 32s   kubelet                  Created container atlantis
  Normal  Started                 32s   kubelet                  Started container atlantis
  Warning  Unhealthy               5s    kubelet                  Readiness probe failed: HTTP probe failed with statuscode: 401
  Warning  Unhealthy               5s    kubelet                  Liveness probe failed: HTTP probe failed with statuscode: 401



➜  ~ kubectl exec -it atlantis-0 -n atlantis -- bash
bash-5.1$ curl -vvv http://localhost:4141/healthz
*   Trying 127.0.0.1:4141...
* Connected to localhost (127.0.0.1) port 4141 (#0)
> GET /healthz HTTP/1.1
> Host: localhost:4141
> User-Agent: curl/7.78.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Content-Type: text/plain; charset=utf-8
< Www-Authenticate: Basic realm="restricted", charset="UTF-8"
< X-Content-Type-Options: nosniff
< Date: Wed, 08 Dec 2021 23:41:26 GMT
< Content-Length: 13
<
Unauthorized
* Connection #0 to host localhost left intact

@lkysow lkysow merged commit 00719c9 into runatlantis:main Dec 10, 2021
@cilindrox cilindrox deleted the disable-basic-auth-defaults branch December 10, 2021 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cilindrox @mcandio @lkysow