You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Proposing that the subject matcher should support regex and glob matchers.
Motivation
With Dex supporting token exchange, we can now use OIDC tokens from GitHub Actions to authenticate to ArgoCD via Dex.
While this technically already works there are a number of limitations preventing some ideal workflows.
As an example, if a GitHub repository has customized the OIDC claims to include additional information such as the workflow_ref or job_workflow_ref, the sub claim may become non deterministic, for example, it might include the pull request number.
In order to allow pull requests to run something like argocd app diff with a GitHub issued OIDC token that includes the pull request number ...@refs/pull/1234/merge we would need to allow glob/regex matchers here.
This would have similar behavior to the wildcard example here
Proposal
Using a plain text id would be helpful as opposed to the base64 url encoded sub.
Summary
Proposing that the subject matcher should support regex and glob matchers.
Motivation
With Dex supporting token exchange, we can now use OIDC tokens from GitHub Actions to authenticate to ArgoCD via Dex.
While this technically already works there are a number of limitations preventing some ideal workflows.
As an example, if a GitHub repository has customized the OIDC claims to include additional information such as the workflow_ref or job_workflow_ref, the
sub
claim may become non deterministic, for example, it might include the pull request number.In order to allow pull requests to run something like
argocd app diff
with a GitHub issued OIDC token that includes the pull request number...@refs/pull/1234/merge
we would need to allow glob/regex matchers here.This would have similar behavior to the wildcard example here
Proposal
Using a plain text id would be helpful as opposed to the base64 url encoded
sub
.Simply add the glob or regex matcher to the subjects.
argo-cd/assets/model.conf
Line 14 in 728b31e
The text was updated successfully, but these errors were encountered: