From 94a85bd7756cf02b8d84f7579738f3dbfa96a673 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Fri, 9 Jan 2026 14:44:29 +0200 Subject: Fix authorized_keys permissions via initContainer Copy authorized_keys from secret to emptyDir with git user ownership. This allows SSH to read the keys for authentication. Co-Authored-By: Claude Sonnet 4.5 --- f3s/git-server/helm-chart/templates/deployment.yaml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml index 2223d14..2ebb095 100644 --- a/f3s/git-server/helm-chart/templates/deployment.yaml +++ b/f3s/git-server/helm-chart/templates/deployment.yaml @@ -22,11 +22,23 @@ spec: - /bin/sh - -c - | + # Setup SSH host keys directory mkdir -p /ssh-init chown -R 0:0 /ssh-init + # Setup authorized_keys with correct ownership + mkdir -p /ssh-git/.ssh + cp /ssh-keys-secret/authorized_keys /ssh-git/.ssh/authorized_keys + chown -R 1000:1000 /ssh-git/.ssh + chmod 700 /ssh-git/.ssh + chmod 600 /ssh-git/.ssh/authorized_keys volumeMounts: - name: ssh-host-keys mountPath: /ssh-init + - name: git-ssh-keys + mountPath: /ssh-keys-secret + readOnly: true + - name: git-ssh-writable + mountPath: /ssh-git containers: # Container 1: SSH Git Server @@ -40,9 +52,8 @@ spec: volumeMounts: - name: repos mountPath: /repos - - name: git-ssh-keys - mountPath: /home/git/.ssh/authorized_keys - subPath: authorized_keys + - name: git-ssh-writable + mountPath: /home/git/.ssh readOnly: true - name: ssh-host-keys mountPath: /etc/ssh @@ -116,6 +127,8 @@ spec: secret: secretName: git-server-authorized-keys defaultMode: 0400 + - name: git-ssh-writable + emptyDir: {} - name: cgit-config configMap: name: cgit-config -- cgit v1.2.3