Add an internal GitHub repository as a backup GitOps remote

Your clone of the GitOps repo is configured with an origin remote that points to To access this remote, you have already configured your management environment with an SSH key provided by Arrikto.

In order to add a Git remote for backup purposes, that also resides in GitHub, you need first to instruct SSH to select the proper key for each remote. This guide will help you extend your Git/SSH configuration so that you can specify the SSH key to use for the internal GitHub repository.


  1. Specify the name of your internal GitHub repository, for example:

    root@rok-tools:/# export GIT_INTERNAL_REPO=internal/deployments
  2. Copy the private SSH key:

    1. Open a terminal and run:

      root@rok-tools:/# cat > /root/.ssh/id_rsa_internal

      The above command will appear to hang while it is waiting for user input.

    2. Copy the text from your private SSH key, including the -----BEGIN OPENSSH PRIVATE KEY----- and -----END OPENSSH PRIVATE KEY----- lines.

    3. Paste the text into the terminal, including the -----BEGIN OPENSSH PRIVATE KEY----- and -----END OPENSSH PRIVATE KEY----- lines.

    4. Press ctrl-d to inform cat that there is no more input.

    5. Verify that cat has saved the key to /root/.ssh/id_rsa_internal:

      root@rok-tools:/# ls /root/.ssh/id_rsa_internal
  3. Set the correct permissions for the file:

    root@rok-tools:/# chmod 400 /root/.ssh/id_rsa_internal
  4. Create an extra SSH configuration directory for user root, if it doesn't exist:

    root@rok-tools:/# mkdir -p /root/.ssh/config.d
  5. Add an SSH configuration file that instructs SSH to use the internal key when it connects to

    root@rok-tools:/# cat > /root/.ssh/config.d/internal <<EOF
    >    Hostname
    >    IdentitiesOnly yes
    >    IdentityFile /root/.ssh/id_rsa_internal


    • Host is a dummy hostname that your Git remote will have, to force SSH use a specific key for it.
    • Hostname is the actual hostname that SSH will use for the connection.
    • IdentitiesOnly is a flag that makes SSH use only this specific key for this host.
    • IdentityFile is the location of the private SSH key.
  6. Create the main SSH configuration file for user root, if it doesn't exist:

    root@rok-tools:/# touch /root/.ssh/config
  7. Extend /root/.ssh/config with a directive that includes additional configuration files under the /root/.ssh/config.d directory:

    root@rok-tools:/# grep -q '^Include config.d/*' /root/.ssh/config \
    >    || echo -en "\nInclude config.d/*" >> /root/.ssh/config
  8. Verify that you can connect to with the Arrikto deployment key:

    root@rok-tools:/# ssh -T

    You should see the following message:

    Hi arrikto/deployments! You've successfully authenticated, but GitHub does
    not provide shell access.
  9. Verify that you can connect to with your internal SSH key:

    root@rok-tools:/# ssh -T

    You should see the same message as above, albeit with a different name than arrikto/deployments.

  10. Change your current directory to the one you cloned the GitOps repository to:

    root@rok-tools:/# cd ~/ops/deployments
  11. Create a Git remote named internal that points to the host you have added in the SSH configuration:

    root@rok-tools:~/ops/deployments# git remote add internal${GIT_INTERNAL_REPO?}
    • If the above command fails with:

      fatal: remote internal already exists.

      then you already have a Git remote named internal. You can update the URL it points to:

      root@rok-tools:~/ops/deployments# git remote set-url internal${GIT_INTERNAL_REPO?}
  12. Ensure you have read access to all of the remotes:

    root@rok-tools:~/ops/deployments# git fetch --all


You have successfully configured access to an internal GitHub repository in your management environment.

What's Next

You can check out the rest of the maintenance operations that you can perform on your cluster.