On user pod startup: clone private GitHub repo


I’m running JupyterHub on Google Kuberentes Engine (Autopilot).
I would like to find a way to clone a private GitHub repo and make it available to all user pods.

GitHub authentication

My private repo has a deploy key. I’ve successfully added that key as a secret:

$ kubectl get secrets
NAME                              TYPE                 DATA   AGE
github-ssh-key                    Opaque               2      27h

I’ve verified that the ssh-key gets deployed to the user pods correctly (i.e. it is visible in ~/.ssh).

Executing a clone is impossible

However, it is simply impossible to pull the trigger on the clone operation. In my opinion b/c the private key in ~/.ssh doesn’t have the correct permissions.

Things I have tried

  • initContainer:
       - name: git-clone
         image: alpine/git
             runAsUser: 0
         command: ["sh", "-c", "mkdir -p /mnt/my_repo && chmod 600 /root/.ssh/ssh-privatekey && git clone ..."]
         - name: ssh-key
           mountPath: /root/.ssh
           readOnly: true
         - name: workdir
           mountPath: /mnt

I’ve tried to use an initContainer to clone the repository but it did not work. I believe because the permissions for the private ssh key are off and I cannot seem to use chmod to change them.

  • lifecycle hooks:

                 command: ["sh", "-c", "git clone ..."]

This did not work either I believe b/c of the same reasons. I simply cannot use chmod to ensure the private key has the correct permissions.


  • Is there a way to perform chmod operation in a pod?
  • If not then how can I make sure the ssh-key secrete is added with correct permissions so I can actually use it?

Thanks for any help!

You may find it easier to use git-credential-helpers and nbgitpuller for this. See an example of how we achieve this at 2i2c here: Allow nbgitpuller to pull from private GitHub repos — Infrastructure Guide