Git Sync Configuration
Deploying the UI with a Git-synced Query Library
This page walks through deploying the UI with Git Sync enabled. For how sync works at runtime, see the Git Sync section on the Query Library page.
The chart uses SSH for authentication.
GitHub is used below as the example backend, but any git host that speaks SSH
(GitLab, Gitea, Bitbucket, a self-hosted git server, …) works the same way.
Replace the gh step with the equivalent deploy-key registration for your
provider and point ssh-keyscan at its host.
1. Create the Library Repository
A dedicated private GitHub repo holds the library. The UI populates queries/ on the first mutation.
gh repo create your-org/berserk-library --private2. Generate a Deploy Key
ssh-keygen -t ed25519 -f ui-library-deploy -N "" -C "berserk-ui"
gh repo deploy-key add ui-library-deploy.pub \
--repo your-org/berserk-library \
--title "berserk-ui" \
--allow-write
ssh-keyscan -t ed25519 github.com > known_hostsThe known_hosts file pins GitHub's host key so the UI pod can verify it on every connection. Without it, git will fail with a StrictHostKeyChecking error.
3. Supply the Key to the Chart
Choose whether the chart manages the Kubernetes Secret or you create it out-of-band.
Create the Secret once, then reference it from values. The Secret is not owned by the Helm release, so helm uninstall leaves it in place.
kubectl create secret generic ui-library-git-ssh \
--namespace bzrk \
--from-file=id_ed25519=ui-library-deploy \
--from-file=known_hostsui:
library:
gitRepo: "git@github.com:your-org/berserk-library.git"
gitBranch: "main"
ssh:
managed: false
secretName: "ui-library-git-ssh"Pass the key material on first install; the chart renders the Secret and, on subsequent helm upgrade calls, uses lookup to preserve the existing data without re-passing the flags. Same pattern as global.postgresCredentials / global.s3Credentials.
ui:
library:
gitRepo: "git@github.com:your-org/berserk-library.git"
gitBranch: "main"
ssh:
managed: truehelm upgrade --install berserk berserk/berserk \
--namespace bzrk \
-f values.yaml \
--set-file ui.library.ssh.privateKey=ui-library-deploy \
--set-file ui.library.ssh.knownHosts=known_hosts--set-file is preferred over --set "$(cat …)" — it avoids shell quoting pitfalls with multi-line keys.
4. Storage
With git sync enabled, emptyDir is sufficient — the repository is cloned on every pod startup and all writes are pushed back to the remote. Use storage: "pvc" only when running without git sync and you need queries to survive pod restarts.
ui:
library:
storage: "emptyDir" # default; "pvc" for file-only modeConfiguration Reference
| Helm value | Env var | Default | Description |
|---|---|---|---|
ui.library.gitRepo | UI_GIT_REPO | (unset) | SSH remote URL. Leave empty for file-only mode. |
ui.library.gitBranch | UI_GIT_BRANCH | main | Branch to sync. |
ui.library.syncIntervalSecs | UI_GIT_SYNC_INTERVAL_SECS | 60 | How often the UI pulls from the remote. |
ui.library.ssh.managed | — | false | true to let the chart create the Secret. |
ui.library.ssh.secretName | — | (unset) | Existing Secret name when managed: false. |
ui.library.ssh.privateKey | — | (unset) | PEM-encoded private key (managed mode). |
ui.library.ssh.knownHosts | — | (unset) | ssh-keyscan output for the git host (managed). |
| — | UI_LIBRARY_DIR | /library | Directory the UI clones into. Fixed in the chart. |
| — | GIT_SSH_COMMAND | (generated) | ssh -i /etc/git-ssh/id_ed25519 -o UserKnownHostsFile=/etc/git-ssh/known_hosts -o IdentitiesOnly=yes |
The UI looks for id_ed25519 and known_hosts under /etc/git-ssh, which the chart projects from the Secret with defaultMode: 0400 so SSH's permission check passes.