ArgoCD pulls and applies resources from Git repositories, CI/CD pipelines act based on events emitted by repositories, and developers interact with and debug the resources managed by both. Unfortunately, GitOps controllers, CI/CD pipelines, and developers all have different identities and different RBAC models. How can we find harmony in these approaches and effectively manage permissions across them? We’ll show how we’re using OAuth2-Token Exchange (RFC 8693) with Dex and GitHub Teams with ArgoCD AppProjects to provide consistent permissions to repositories, people, and CI pipelines with just OIDC. We also show how we designed a just-in-time RBAC approach by programmatically managing the ArgoCD AppProjects based on the repository manifests.
