# Setup SSH Deploy Key for mcp10x Repository

## 1. Add Public Key to GitHub

Add this SSH public key as a Deploy Key to the private repository:

**Repository:** https://github.com/fortedigital/10x

**Public Key:**
```
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0xw8XnpnrIUeRbAzqMUSWXtR+5JoSaXDP/NwzZlEj3 argocd-mcp10x
```

**Steps:**
1. Go to: https://github.com/fortedigital/10x/settings/keys
2. Click "Add deploy key"
3. Title: `ArgoCD - mcp10x`
4. Key: Paste the public key above
5. **Important:** Leave "Allow write access" **unchecked** (read-only)
6. Click "Add key"

## 2. Seal the Secret (if using Sealed Secrets)

If you want to store the secret encrypted in Git (recommended), seal it:

```bash
# Install kubeseal if not already installed
# For Windows: choco install kubeseal
# For Linux/Mac: brew install kubeseal

# Seal the secret
kubeseal --format=yaml \
  < cluster-resources/mcp10x-repo-credentials.yaml \
  > cluster-resources/mcp10x-repo-credentials-sealed.yaml

# Remove the plaintext secret
rm cluster-resources/mcp10x-repo-credentials.yaml

# Commit the sealed secret
git add cluster-resources/mcp10x-repo-credentials-sealed.yaml
```

## 3. Apply the Configuration (if NOT using Sealed Secrets)

If you're not using sealed secrets, you can apply the plain secret directly:

```bash
kubectl apply -f cluster-resources/mcp10x-repo-credentials.yaml
```

**Note:** Don't commit the plaintext secret to Git!

## 4. Update and Sync the Application

The `apps/mcp10x.yaml` has been updated to use SSH URL. ArgoCD will automatically:
- Detect the repository credentials
- Use the SSH key to authenticate
- Clone the private repository

## 5. Verify

Check that ArgoCD can access the repository:

```bash
# Check if the secret exists
kubectl get secret mcp10x-repo-creds -n argocd

# Check ArgoCD application status
kubectl get application mcp10x -n argocd

# Check application details
kubectl describe application mcp10x -n argocd
```

## Security Notes

- ✅ SSH key is scoped to single repository
- ✅ Read-only access (no write permission)
- ✅ Independent of user accounts
- ✅ Can be rotated without admin approval
- ⚠️  Never commit plaintext secrets to Git - use Sealed Secrets or external secret management