From 193b1aa28b7b249ec00fbac3e59d4fd74a060a9f Mon Sep 17 00:00:00 2001 From: Danijel Simeunovic Date: Tue, 10 Mar 2026 10:59:36 +0100 Subject: [PATCH] credentials --- apps/mcp10x.yaml | 2 +- cluster-resources/SETUP-MCP10X-SSH.md | 81 +++++++++++++++++++ .../mcp10x-repo-credentials-sealed.yaml | 20 +++++ 3 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 cluster-resources/SETUP-MCP10X-SSH.md create mode 100644 cluster-resources/mcp10x-repo-credentials-sealed.yaml diff --git a/apps/mcp10x.yaml b/apps/mcp10x.yaml index 5f98262..2d0c95c 100644 --- a/apps/mcp10x.yaml +++ b/apps/mcp10x.yaml @@ -18,7 +18,7 @@ metadata: spec: project: default source: - repoURL: https://github.com/fortedigital/10x.git + repoURL: git@github.com:fortedigital/10x.git targetRevision: HEAD path: helm/mcp10x helm: diff --git a/cluster-resources/SETUP-MCP10X-SSH.md b/cluster-resources/SETUP-MCP10X-SSH.md new file mode 100644 index 0000000..348afe6 --- /dev/null +++ b/cluster-resources/SETUP-MCP10X-SSH.md @@ -0,0 +1,81 @@ +# Setup SSH Deploy Key for mcp10x Repository + +## 1. Add Public Key to GitHub + +Add this SSH public key as a Deploy Key to the private repository: + +**Repository:** https://github.com/fortedigital/10x + +**Public Key:** +``` +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0xw8XnpnrIUeRbAzqMUSWXtR+5JoSaXDP/NwzZlEj3 argocd-mcp10x +``` + +**Steps:** +1. Go to: https://github.com/fortedigital/10x/settings/keys +2. Click "Add deploy key" +3. Title: `ArgoCD - mcp10x` +4. Key: Paste the public key above +5. **Important:** Leave "Allow write access" **unchecked** (read-only) +6. Click "Add key" + +## 2. Seal the Secret (if using Sealed Secrets) + +If you want to store the secret encrypted in Git (recommended), seal it: + +```bash +# Install kubeseal if not already installed +# For Windows: choco install kubeseal +# For Linux/Mac: brew install kubeseal + +# Seal the secret +kubeseal --format=yaml \ + < cluster-resources/mcp10x-repo-credentials.yaml \ + > cluster-resources/mcp10x-repo-credentials-sealed.yaml + +# Remove the plaintext secret +rm cluster-resources/mcp10x-repo-credentials.yaml + +# Commit the sealed secret +git add cluster-resources/mcp10x-repo-credentials-sealed.yaml +``` + +## 3. Apply the Configuration (if NOT using Sealed Secrets) + +If you're not using sealed secrets, you can apply the plain secret directly: + +```bash +kubectl apply -f cluster-resources/mcp10x-repo-credentials.yaml +``` + +**Note:** Don't commit the plaintext secret to Git! + +## 4. Update and Sync the Application + +The `apps/mcp10x.yaml` has been updated to use SSH URL. ArgoCD will automatically: +- Detect the repository credentials +- Use the SSH key to authenticate +- Clone the private repository + +## 5. Verify + +Check that ArgoCD can access the repository: + +```bash +# Check if the secret exists +kubectl get secret mcp10x-repo-creds -n argocd + +# Check ArgoCD application status +kubectl get application mcp10x -n argocd + +# Check application details +kubectl describe application mcp10x -n argocd +``` + +## Security Notes + +- ✅ SSH key is scoped to single repository +- ✅ Read-only access (no write permission) +- ✅ Independent of user accounts +- ✅ Can be rotated without admin approval +- ⚠️ Never commit plaintext secrets to Git - use Sealed Secrets or external secret management diff --git a/cluster-resources/mcp10x-repo-credentials-sealed.yaml b/cluster-resources/mcp10x-repo-credentials-sealed.yaml new file mode 100644 index 0000000..17f05f5 --- /dev/null +++ b/cluster-resources/mcp10x-repo-credentials-sealed.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: mcp10x-repo-creds + namespace: argocd +spec: + encryptedData: + sshPrivateKey: AgABjxZ9fCInZErXR2rkRfn/xg3foN/k8PZaU2xeaf6SraOIoAzsEOmCZjOhml2aOxezED9jAuCyAVcnJGjULlYiwGklmRzekqy3aUNMPsswQIBhs2kDkR0py0ANudNrv1gYkmNn0Z+nMuPIvMbjKkA0avoRD9aXbY7XFP6lJfoFURGYQ6mZeUsjbsugL3m0drync5Ff5IWoPm4cs+O58RXRIiUuMQ/BSEov9DBQfugB94Dg5xA2o1IO9MoXLiHVGfXTd6JD65SnGwhtftmucTXETZjGJbDwJnwcbmC5JqOnxP+wvb9sFUm8QNaGBkODB7ET2YOFnrbhL45L1HwXkLzvteyOpuStfihtOeyKl2D1PRxyy/uwlEg2GR+TZzegrrMlEU/wY6u1nqfkw8g+VPQy2r0KCCRDWha9bBReyFz2LzJr8quTp/HmKi5l0ljVTwziZ2EI6SFdtIGjnyAhEAYWZZoCn1cYQ9Y7qTSnnm6k1f6tnqCJljfr0ls63cXosWxPaSsyHjnmxQboUs+QgpLZDGo5UZLsYJpafPeKN5lQJgZpkK0el4JzLreA1TTLSp2bVW/3Y2R6auQlOhC79A+/ctEooQq6ugPdKaiKUjDpcl9J3pIEiMw0/m6cnFRgBFZdey0hia/joYruIKjL+P6MpwMEL5nKEjnV1hSQqDraC+H4fvQOuYIHYYOPTePxcFyznK/ctcZI9ByW1zT8tSNbKJLia2fhv1Fv15MX/qrk84stW3FG4W1M9PKbmYX8gksF1PxWh+FWfOFteTU+bZPXUOvU5onEFET1L8ZaN7z8v2cYh/D7kRHVcTrLrxgvugvRnGFIsx2Wy0d48LApfDNmip4q4AjA+yhZgRR+eziyStEzFfsvU/MDK9qeQoK+cmV3RMcKUOYthjDbCzndH6TFlqcQQGEWvcbLqofpFjXz0uw9pY7Z8YRBemD6wqAM13JtaI+hF6EW3fW6Vy3QS0O1Kqgy/8bCh4R3h+DGtXPkMu/xLKuFiUQJF2XnQEZya+aYbxQUcNcxOvblWndHOMFpbce0ERIon9m4rvn8HLNeoRqC+x4iGW7ft4pFkaLr/DYOkhiNmSfd35js8TLfcxSXZg2pX+dq6lejGxVdkrvmisWm+4xpc0B8hRpwQMJGuIM4rQz5wj/XndfHSH1Z0NnorCmSubOwPIpq7VQqoyCIpOBCzBLVki4hlJeqIvm2/xJPPVzxZZ16Uy7TGbSoPWs= + type: AgC9y+ZjBL2JsaUBFhWc4wlZWnp04EzxyXwJJgwu+FyBTGWGBrA5dp7KeS7LuPW+vBcjJKcLVuYrDbxJw622RgD0m8ALEL+TQg+CnULXljb7P1inSlAVKHBg0le2bz6dZ55SmZvAItrm5MSxcwVZYFeBVjHFP5IDwF2uPv9ZQOrIGA58ZjTK9+kTsVN/XbVCnNnTaAakW6PR7YaLvpiYYfMbGlU+JmItwIJASPnqmQV40+5f+ewgCl5w0ATeNi6VOQx6quQm7HJovneE0pfYRyg/fTc3SNI6Ao/82+QP3H/7Kmme1DLncMfKSmTZ1dcLQ7AaUZFXuwaQzwzLwv1RLsyFowweJJh20TGV66526oM9zzPAAuFD+yBQln+qdn+qJnOpUZU9Ft/bbnaX2JuBHfcpXK93CvlATo9p+d2RdWvscUSN5NcQ+/szkIJmcCwPW4W7wLvst/+oy2mqJIoRY2T8VT5QclPe2Mbz0onriXx50zeGGAi2MWzNUdR60S8sfadn/6J0+3GdQnQwrgvgV1W2yuXQW6+ThzEqZZlQLZz9+LUQBTYf7DAObGw1EJE1ZdldoyiurMrrlCf88xA9grv9y1QiN0TIElTy5z10Jke8cB9yXBYMA4D/XaEAJ5juk44XjzlmOqPyyFny0xEd6LFILETr76ph1lI6TJUrE5dA9MOwRMQWwSfcMyqRob1nSwx9tBA= + url: AgCZPKVLwBsR41TulTWsw5gSnAFBCH5pQj8hoty2LlGcgM2cY+ArDCv46B8ihFdLiGY4r9hRAhlzkeC1mjgTI9GDzfmrTVs5xS4ilKG9HTt8SzleyqlYT8jZAopc1ln3j4pMLZj471th0PBRxajIxT4rv+tm02FlS+1Py+sHTochMakXLBSQxAy0fGr+Y98WuG6GYxcrHOD4yqErdmq06N9xrmGjP0KCAxTS4VJLiVvWbikANwtDFCmB63wiaqQ0uky7aeX/UrmCUi4WhuFfwUipSr6nyn2Ws3TdTOjioeRNA/LtDb6zc0k1WqgWU2Kk0YHoIJF7w4POSurNQu4yrPgeaK8Ez8k+cFQihK+/4YHZPOUS5Dzm3XhXuQOgQRMfeIFPsutYAMk7WQB8bPDjlk2CpLIg+vQicrW6JEjAgIbD4ohUNKznP2h6vTu6fcGKleDMEedp73/Pud1EinOxyOA91uYv+k54F/tndE6Jj/RJnMTBVBuw71789oBF/QZJ3glhjq/Q78v8t5Zq0QFlpuc4oXOn6WAuP79kUBiBbOVDfSaBMtztsZihf9En3RRzC5RRncOhYaLOufkPTY+qC2Myj6+T/SdxZnyohEZSzHyqSMsBOLCcWTcap79kP3ARRH8az+/7Nga95TnIEoG6f5Wt12f9ZglZtM/UJvQv0NxhSF6YY4gk8sI0Mv5A9ihnUKP7i0gxCnf+X+UJACt+Iy6MDdxFxCHJW7Gp79wrIPmOWnhRJQ== + template: + metadata: + creationTimestamp: null + labels: + argocd.argoproj.io/secret-type: repository + name: mcp10x-repo-creds + namespace: argocd + type: Opaque