atlantis icon indicating copy to clipboard operation
atlantis copied to clipboard

Published 20 hours ago verified publisher icon runatlantis

allow prometheus metrics without basic auth

Open evkuzin opened this issue 2 years ago • 4 comments

This issue was mentioned #2399 I just figured out that this is gonna be a simple PR

evkuzin avatar Jul 26 '22 18:07 evkuzin

I'm not so keen on this change, if for whatever reason atlantis is public and exposed to the internet people could see any metrics and that might be a security issue to some people

jamengual avatar Jul 27 '22 17:07 jamengual

Fair enough. Maybe we could use a flag in the config for prometheus section - require auth or not. But in general I'd say people expect metrics to be isolated from main router and even if it require auth - use a separate account for metric auth only.

evkuzin avatar Jul 27 '22 18:07 evkuzin

I agree, usually people isolate this setups but we can't assume that so we need to be secure by default.

jamengual avatar Jul 27 '22 18:07 jamengual

just my two cents on this, other option is to expose metrics in a different port, so that port can be exposed with a different configuration , for example inside a kubernetes cluster only with a service where is normally metrics don't use auth?

marcelobartsch-jt avatar Aug 02 '22 12:08 marcelobartsch-jt

@evkuzin what are your thoughts on exposing metrics on a separate port instead of removing auth?

@marcelobartsch if metrics were exposed on a different port wouldn't it still need to be excluded from auth?

How are current devs getting metrics if authentication is enforced on the metrics endpoint?

nitrocode avatar Nov 20 '22 22:11 nitrocode

After talking about it we decided to not include this. the metrics have private information that could leak and Atlantis should always take the secure first approach.

jamengual avatar Dec 23 '22 07:12 jamengual