credentials

2026-03-10 10:59:36 +01:00
parent 3b0eb5c1d5
commit 193b1aa28b
3 changed files with 102 additions and 1 deletions
--- a/apps/mcp10x.yaml
+++ b/apps/mcp10x.yaml
@@ -18,7 +18,7 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: https://github.com/fortedigital/10x.git
+    repoURL: git@github.com:fortedigital/10x.git
    targetRevision: HEAD
    path: helm/mcp10x
    helm:
--- a/cluster-resources/SETUP-MCP10X-SSH.md
+++ b/cluster-resources/SETUP-MCP10X-SSH.md
@@ -0,0 +1,81 @@
+# Setup SSH Deploy Key for mcp10x Repository
+
+## 1. Add Public Key to GitHub
+
+Add this SSH public key as a Deploy Key to the private repository:
+
+**Repository:** https://github.com/fortedigital/10x
+
+**Public Key:**
+```
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0xw8XnpnrIUeRbAzqMUSWXtR+5JoSaXDP/NwzZlEj3 argocd-mcp10x
+```
+
+**Steps:**
+1. Go to: https://github.com/fortedigital/10x/settings/keys
+2. Click "Add deploy key"
+3. Title: `ArgoCD - mcp10x`
+4. Key: Paste the public key above
+5. **Important:** Leave "Allow write access" **unchecked** (read-only)
+6. Click "Add key"
+
+## 2. Seal the Secret (if using Sealed Secrets)
+
+If you want to store the secret encrypted in Git (recommended), seal it:
+
+```bash
+# Install kubeseal if not already installed
+# For Windows: choco install kubeseal
+# For Linux/Mac: brew install kubeseal
+
+# Seal the secret
+kubeseal --format=yaml \
+  < cluster-resources/mcp10x-repo-credentials.yaml \
+  > cluster-resources/mcp10x-repo-credentials-sealed.yaml
+
+# Remove the plaintext secret
+rm cluster-resources/mcp10x-repo-credentials.yaml
+
+# Commit the sealed secret
+git add cluster-resources/mcp10x-repo-credentials-sealed.yaml
+```
+
+## 3. Apply the Configuration (if NOT using Sealed Secrets)
+
+If you're not using sealed secrets, you can apply the plain secret directly:
+
+```bash
+kubectl apply -f cluster-resources/mcp10x-repo-credentials.yaml
+```
+
+**Note:** Don't commit the plaintext secret to Git!
+
+## 4. Update and Sync the Application
+
+The `apps/mcp10x.yaml` has been updated to use SSH URL. ArgoCD will automatically:
+- Detect the repository credentials
+- Use the SSH key to authenticate
+- Clone the private repository
+
+## 5. Verify
+
+Check that ArgoCD can access the repository:
+
+```bash
+# Check if the secret exists
+kubectl get secret mcp10x-repo-creds -n argocd
+
+# Check ArgoCD application status
+kubectl get application mcp10x -n argocd
+
+# Check application details
+kubectl describe application mcp10x -n argocd
+```
+
+## Security Notes
+
+- ✅ SSH key is scoped to single repository
+- ✅ Read-only access (no write permission)
+- ✅ Independent of user accounts
+- ✅ Can be rotated without admin approval
+- ⚠️  Never commit plaintext secrets to Git - use Sealed Secrets or external secret management
--- a/cluster-resources/mcp10x-repo-credentials-sealed.yaml
+++ b/cluster-resources/mcp10x-repo-credentials-sealed.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: mcp10x-repo-creds
+  namespace: argocd
+spec:
+  encryptedData:
+    sshPrivateKey: AgABjxZ9fCInZErXR2rkRfn/xg3foN/k8PZaU2xeaf6SraOIoAzsEOmCZjOhml2aOxezED9jAuCyAVcnJGjULlYiwGklmRzekqy3aUNMPsswQIBhs2kDkR0py0ANudNrv1gYkmNn0Z+nMuPIvMbjKkA0avoRD9aXbY7XFP6lJfoFURGYQ6mZeUsjbsugL3m0drync5Ff5IWoPm4cs+O58RXRIiUuMQ/BSEov9DBQfugB94Dg5xA2o1IO9MoXLiHVGfXTd6JD65SnGwhtftmucTXETZjGJbDwJnwcbmC5JqOnxP+wvb9sFUm8QNaGBkODB7ET2YOFnrbhL45L1HwXkLzvteyOpuStfihtOeyKl2D1PRxyy/uwlEg2GR+TZzegrrMlEU/wY6u1nqfkw8g+VPQy2r0KCCRDWha9bBReyFz2LzJr8quTp/HmKi5l0ljVTwziZ2EI6SFdtIGjnyAhEAYWZZoCn1cYQ9Y7qTSnnm6k1f6tnqCJljfr0ls63cXosWxPaSsyHjnmxQboUs+QgpLZDGo5UZLsYJpafPeKN5lQJgZpkK0el4JzLreA1TTLSp2bVW/3Y2R6auQlOhC79A+/ctEooQq6ugPdKaiKUjDpcl9J3pIEiMw0/m6cnFRgBFZdey0hia/joYruIKjL+P6MpwMEL5nKEjnV1hSQqDraC+H4fvQOuYIHYYOPTePxcFyznK/ctcZI9ByW1zT8tSNbKJLia2fhv1Fv15MX/qrk84stW3FG4W1M9PKbmYX8gksF1PxWh+FWfOFteTU+bZPXUOvU5onEFET1L8ZaN7z8v2cYh/D7kRHVcTrLrxgvugvRnGFIsx2Wy0d48LApfDNmip4q4AjA+yhZgRR+eziyStEzFfsvU/MDK9qeQoK+cmV3RMcKUOYthjDbCzndH6TFlqcQQGEWvcbLqofpFjXz0uw9pY7Z8YRBemD6wqAM13JtaI+hF6EW3fW6Vy3QS0O1Kqgy/8bCh4R3h+DGtXPkMu/xLKuFiUQJF2XnQEZya+aYbxQUcNcxOvblWndHOMFpbce0ERIon9m4rvn8HLNeoRqC+x4iGW7ft4pFkaLr/DYOkhiNmSfd35js8TLfcxSXZg2pX+dq6lejGxVdkrvmisWm+4xpc0B8hRpwQMJGuIM4rQz5wj/XndfHSH1Z0NnorCmSubOwPIpq7VQqoyCIpOBCzBLVki4hlJeqIvm2/xJPPVzxZZ16Uy7TGbSoPWs=
+    type: AgC9y+ZjBL2JsaUBFhWc4wlZWnp04EzxyXwJJgwu+FyBTGWGBrA5dp7KeS7LuPW+vBcjJKcLVuYrDbxJw622RgD0m8ALEL+TQg+CnULXljb7P1inSlAVKHBg0le2bz6dZ55SmZvAItrm5MSxcwVZYFeBVjHFP5IDwF2uPv9ZQOrIGA58ZjTK9+kTsVN/XbVCnNnTaAakW6PR7YaLvpiYYfMbGlU+JmItwIJASPnqmQV40+5f+ewgCl5w0ATeNi6VOQx6quQm7HJovneE0pfYRyg/fTc3SNI6Ao/82+QP3H/7Kmme1DLncMfKSmTZ1dcLQ7AaUZFXuwaQzwzLwv1RLsyFowweJJh20TGV66526oM9zzPAAuFD+yBQln+qdn+qJnOpUZU9Ft/bbnaX2JuBHfcpXK93CvlATo9p+d2RdWvscUSN5NcQ+/szkIJmcCwPW4W7wLvst/+oy2mqJIoRY2T8VT5QclPe2Mbz0onriXx50zeGGAi2MWzNUdR60S8sfadn/6J0+3GdQnQwrgvgV1W2yuXQW6+ThzEqZZlQLZz9+LUQBTYf7DAObGw1EJE1ZdldoyiurMrrlCf88xA9grv9y1QiN0TIElTy5z10Jke8cB9yXBYMA4D/XaEAJ5juk44XjzlmOqPyyFny0xEd6LFILETr76ph1lI6TJUrE5dA9MOwRMQWwSfcMyqRob1nSwx9tBA=
+    url: AgCZPKVLwBsR41TulTWsw5gSnAFBCH5pQj8hoty2LlGcgM2cY+ArDCv46B8ihFdLiGY4r9hRAhlzkeC1mjgTI9GDzfmrTVs5xS4ilKG9HTt8SzleyqlYT8jZAopc1ln3j4pMLZj471th0PBRxajIxT4rv+tm02FlS+1Py+sHTochMakXLBSQxAy0fGr+Y98WuG6GYxcrHOD4yqErdmq06N9xrmGjP0KCAxTS4VJLiVvWbikANwtDFCmB63wiaqQ0uky7aeX/UrmCUi4WhuFfwUipSr6nyn2Ws3TdTOjioeRNA/LtDb6zc0k1WqgWU2Kk0YHoIJF7w4POSurNQu4yrPgeaK8Ez8k+cFQihK+/4YHZPOUS5Dzm3XhXuQOgQRMfeIFPsutYAMk7WQB8bPDjlk2CpLIg+vQicrW6JEjAgIbD4ohUNKznP2h6vTu6fcGKleDMEedp73/Pud1EinOxyOA91uYv+k54F/tndE6Jj/RJnMTBVBuw71789oBF/QZJ3glhjq/Q78v8t5Zq0QFlpuc4oXOn6WAuP79kUBiBbOVDfSaBMtztsZihf9En3RRzC5RRncOhYaLOufkPTY+qC2Myj6+T/SdxZnyohEZSzHyqSMsBOLCcWTcap79kP3ARRH8az+/7Nga95TnIEoG6f5Wt12f9ZglZtM/UJvQv0NxhSF6YY4gk8sI0Mv5A9ihnUKP7i0gxCnf+X+UJACt+Iy6MDdxFxCHJW7Gp79wrIPmOWnhRJQ==
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        argocd.argoproj.io/secret-type: repository
+      name: mcp10x-repo-creds
+      namespace: argocd
+    type: Opaque