Can visit atlantis webpage directly without providing credentials when basic auth credentials are defined in helm chart

[NathanielWroblewski]

I'm following the guide for deploying atlantis via helm charts, and I've set basicAuth.username and basicAuth.password; however, when I deploy to our EKS cluster, I can visit the application page in my browser without being prompted for username/password, and I can curl it without being prompted to auth as well.

I've added the following to the values.yml (I'm omitting everything I haven't altered):

github:
  user: REDACTED
  token: '$ATLANTIS_GH_TOKEN'
  secret: '$ATLANTIS_GH_SECRET'
gitconfig: |
  [url "https://[email protected]"]
    insteadOf = https://github.com
  [url "https://[email protected]"]
    insteadOf = ssh://[email protected]
aws:
  credentials: |
    [default]
    aws_access_key_id=$ATLANTIS_AWS_ACCESS_KEY_ID
    aws_secret_access_key=$ATLANTIS_AWS_SECRET_ACCESS_KEY
    region=$ATLANTIS_AWS_REGION
image:
  repository: runatlantis/atlantis
  tag: v0.18.0
  pullPolicy: IfNotPresent
basicAuth:
  username: "atlantis"
  password: '$ATLANTIS_WEB_PASSWORD'
service:
  type: LoadBalancer
  port: 443
  loadBalancerIP: null

Currently, I'm just running this manually and setting the env vars directly on the command line:

$ ATLANTIS_GH_TOKEN='ghp_REDACTED' \
  ATLANTIS_GH_SECRET='REDACTED' \
  ATLANTIS_AWS_ACCESS_KEY_ID='AKIAREDACTED' \
  ATLANTIS_AWS_SECRET_ACCESS_KEY='REDACTED' \
  ATLANTIS_WEB_PASSWORD='REDACTED' \
  helm upgrade \
    -f ./values.yaml \
    -n atlantis \
    atlantis runatlantis/atlantis

I can see that these values are being set:

 $ kubectl -n atlantis describe secrets atlantis-basic-auth
Name:         atlantis-basic-auth
Namespace:    atlantis
Labels:       app=atlantis
              app.kubernetes.io/managed-by=Helm
              chart=atlantis-3.15.0
              heritage=Helm
              release=atlantis
Annotations:  meta.helm.sh/release-name: atlantis
              meta.helm.sh/release-namespace: atlantis

Type:  Opaque

Data
====
password:  22 bytes
username:  14 bytes

I have amended my load balancer (ELB) in AWS with an ACM cert, and I'm able to load the Atlantis page over HTTPS, but I am never prompted to enter a username or password.

[NathanielWroblewski]

@lkysow is there someone I could talk to on the project for a resolution to this? Having this page publicly accessible prevents us from using Atlantis at all.

[NathanielWroblewski]

:tumbleweed:

[gmontanola]

@NathanielWroblewski I guess you figured out but updating to 0.15.2 fixes this.

runatlantis/atlantis#2008

[lkysow]

Sorry @NathanielWroblewski. This repo isn't checked as frequently. The main Atlantis repo is a better place for issues like this that aren't specific to the Helm chart.

Based on @gmontanola's comment I'll close this.