Description

I’m running JupyterHub on Google Kuberentes Engine (Autopilot).
I would like to find a way to clone a private GitHub repo and make it available to all user pods.

GitHub authentication

My private repo has a deploy key. I’ve successfully added that key as a secret:

$ kubectl get secrets
NAME                              TYPE                 DATA   AGE
github-ssh-key                    Opaque               2      27h

I’ve verified that the ssh-key gets deployed to the user pods correctly (i.e. it is visible in ~/.ssh).

Executing a clone is impossible

However, it is simply impossible to pull the trigger on the clone operation. In my opinion b/c the private key in ~/.ssh doesn’t have the correct permissions.

Things I have tried

• initContainer:

   initContainers:
     - name: git-clone
       image: alpine/git
       securityContext:
           runAsUser: 0
       command: ["sh", "-c", "mkdir -p /mnt/my_repo && chmod 600 /root/.ssh/ssh-privatekey && git clone ..."]
     volumeMounts:
       - name: ssh-key
         mountPath: /root/.ssh
         readOnly: true
       - name: workdir
         mountPath: /mnt
  

I’ve tried to use an initContainer to clone the repository but it did not work. I believe because the permissions for the private ssh key are off and I cannot seem to use chmod to change them.

• lifecycle hooks:

   singleuser:
      lifecycleHooks:
         postStart:
            exec:
               command: ["sh", "-c", "git clone ..."]
  

This did not work either I believe b/c of the same reasons. I simply cannot use chmod to ensure the private key has the correct permissions.

Questions

• Is there a way to perform chmod operation in a pod?
• If not then how can I make sure the ssh-key secrete is added with correct permissions so I can actually use it?

Thanks for any help!

You may find it easier to use git-credential-helpers and nbgitpuller for this. See an example of how we achieve this at 2i2c here: Allow nbgitpuller to pull from private GitHub repos — Infrastructure Guide