Hey hey, I have a question. I'm working on an effort to turn account sprawl across our ops pipelines into something unified. I initially proposed OpenLDAP but have been playing with SpiceDB. I've gotta set up a POC displaying integration with ArgoCD. I'm completely lost re: SpiceDB. It seems lovely, but for every 1000 resources on LDAP <> ArgoCD integration there are.. Well, there are no resources on how ArgoCD integrates with SpiceDB for IAM with ArgoCD. Could anyone point me in the right direction? I guess if nothing Argo-specific, something similar that showcases how SpiceDB can be used as a step-in replacement for LDAP on something like ArgoCD.

I'm not aware of any ArgoCD integration with SpiceDB, so I'm afraid this would something entirely new to be built

Out of curiosity, can you describe the sort of integration you're looking for? Do you want to authorize access to Argo Applications based on data in LDAP / SpiceDB? Or are you trying to manage the data in SpiceDB with an Argo Application?

I'm looking to store user data and relationships within SpiceDB to control who can access what - RBAC essentially, or something similar. Kind of acting as OpenLDAP would.

I think it would be an interesting idea to explore, just note SpiceDB is no replacement for an authentication service, it's for authorization. You probably want to introduce something like SAML/OpenID Connect for authentication, and then SpiceDB for authorization, but that would require investigating how to plug in custom authorization modules into Argo. It seems to be embedding dex for authentication, which gives you plenty of options for the authN side of things: https://github.com/dexidp/dex As far as I can tell in their docs, they have an authentication and authorization component: https://argo-cd.readthedocs.io/en/stable/developer-guide/architecture/authz-authn/ The authorization component already uses casbin: https://github.com/casbin/casbin. So you'd have to look into ArgoCD codebase and investigate how to replace casbin with SpiceDB. My guess is that's a non-trivial amount of work, but would be a good candidate for opensourcing it. You can learn more about Argo's RBAC here: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/ Do you guys have a platform engineering team that does employee authorization using SpiceDB already, and so that's why your fellow senior engineers recommended you to look into it? Otherwise I'm not sure to understand why going down what appears to me some non-trivial amount of work to replace casbin with SpiceDB without answering first why. Is there something about Argo's out of the box authorization that does not work for you guys? If you just want ArgoCD running for your internal teams, leveraging what's in place in Argo is likely a good idea, unless you have very clear specific requirements to use SpiceDB here. https://cdn.discordapp.com/attachments/1252214761693904918/1252545000181334016/argocd-arch-authn-authz.png?ex=66729aef&is=6671496f&hm=08dded6e75863fd5c9e1a88bb424c20dbb08be300eb2e70966a22ed21159e64a&

This was a really insightful response, thanks. Argo is just the app we've chosen for the initial POC since it's central to a lot of our workflows. The idea is to create a unified database across all of our "stuff". My initial plan was to combine something like Keycloak and OpenLDAP, however SpiceDB got the vote, I guess because it seems a bit shinier. After going over all the info in your post, I'm not convinced it's going to be worth the effort given the fact that we aren't a huge team.

You can use SpiceDB with these off-the-shelf systems, no question about it, but the barrier of entry would be higher because SpiceDB is early in the emerging landscape of authorization services, and when those systems were designed, the landscape was nascent and they didn't even consider facilitating swapping the authorization bits. So it means you'll likely have to fork ArgoCD to generalize their authorization subsystem. The question right now is if it's the right investment for your organization right now.

Thanks again, really appreciate the in-depth responses. We don't have the resources to make this work, so I'm going to opt to go with something more traditional. Definitely following SpiceDB with interest going forward though.

happy to help!