Skip to content
podmaker docs

Connect a private repository

Private repos authenticate with either an SSH deploy key or a token. Keep the credential in your vault and reference it from the manifest.

Option A — SSH deploy key

Store the private key in your vault, then reference it:

source:
  type: git
  repo: git@github.com:acme/private-app.git
  branch: main
  auth:
    from_vault: secret/acme/app#deploy_key

Add the matching public key as a deploy key on the repository (read-only is enough).

Option B — Personal access token

For HTTPS clones, store a token and reference it:

source:
  type: git
  repo: https://github.com/acme/private-app.git
  auth:
    from_vault: secret/acme/app#github_token

Why vault?

auth is a ValueRef: the credential is resolved at deploy time from your secret manager and never stored in the manifest or the control-plane database. See Vault & Secrets.

Private container images

Pulling a private image works the same way via pull_secret:

source:
  type: image
  image: registry.example.com/acme/app:1.2.3
  pull_secret:
    from_vault: secret/acme/registry#dockerconfig