Git on Satellite

git on satellite runs the git integration inside your kubernetes environment through resolve satellite repositories are cloned and managed in your environment code stays in your infrastructure, except for investigation snippets that are sent when needed for analysis overview git on satellite lets resolve ai clone and sync multiple git repositories search repository files and directories read file contents and git history analyze commits, diffs, and blame data propose code changes and open prs when write tooling is enabled when to use it use git on satellite when repositories are private to your network you need in cluster data residency and control you need custom networking and cluster level security controls if you want the fastest setup without running infrastructure, use docid\ zfdbzicj9ioenphsinkdb prerequisites resolve satellite deployed in your kubernetes cluster repository hosts reachable from satellite pods kubernetes secret management available helm available for satellite updates available tools the git integration provides git network operations git clone , git fetch local read only git operations history, diffs, file inspection file system/text processing tools used during code analysis write/remediation tools ( suggestchange , revertcommit ) when enabled code remediation behavior write/remediation tools are controlled by both satellite version support and connection config satellite version remediation tool support v1 0 15+ supported < v1 0 15 not supported write/remediation availability is then gated by connection disablewrites disablewrites true => read only mode disablewrites false => write/remediation tools allowed if omitted defaults to false when any auth config is type "github" defaults to true for token only auth resolve ai does not automatically push changes without user action pr creation is an explicit user invoked workflow authentication options option 1 github auth (recommended for github) add a git integration with github auth config resolve values yaml integrations gitgithub type git create true connection authconfigs githubapp type "github" gitvolume type persistentvolumeclaim deploy/update satellite helm upgrade install resolve satellite \\ oci //registry 1 docker io/resolveaihq/satellite chart \\ \ values resolve values yaml in resolve ui, open your git integration and click install github app complete github authorization and choose repositories verify health check and repository listing for a github specific walkthrough, see docid\ g avjzp sqgo8nhrnflv option 2 token auth token auth uses matching keys between connection authconfigs and credentials in your kubernetes secret step 1 create access tokens create provider tokens first see docid 8gqksnfkotdqmlsy0dijg step 2 create kubernetes secret git credentials yaml apiversion v1 kind secret type opaque metadata name git credentials stringdata tokenauthcredentials | githubtoken # key name used in step 3 authconfigs username \<github username> token \<github token> \# optional per auth custom certificate overrides trustedcertificateoverrides | githubtoken | # must use the same key name as tokenauthcredentials/authconfigs \ begin certificate \ end certificate git credentials yaml apiversion v1 kind secret type opaque metadata name git credentials stringdata tokenauthcredentials | githuborgonetoken # github org one credentials username \<github username> token \<github token org one> githuborgtwotoken # github org two credentials username \<github username> token \<github token org two> gitlabtoken # gitlab credentials username \<gitlab username> token \<gitlab token> \# optional per auth custom certificate overrides trustedcertificateoverrides | gitlabtoken | # needed only for custom/self signed gitlab certs \ begin certificate \ end certificate apply secret kubectl apply f git credentials yaml step 3 configure integration resolve values yaml integrations gittoken type git create true secretname git credentials connection authconfigs githubtoken # must match key in secret type "token" tokenauthremoteurls \ "https //github com/your org/repo 1 git" \ "https //github com/your org/repo 2 git" \# recommended for production gitvolume type persistentvolumeclaim resolve values yaml integrations gittoken type git create true secretname git credentials connection authconfigs githuborgonetoken # must match key in secret (github org one) type "token" tokenauthremoteurls \ "https //github com/org one/repo 1 git" \ "https //github com/org one/repo 2 git" githuborgtwotoken # must match key in secret (github org two) type "token" tokenauthremoteurls \ "https //github com/org two/repo 1 git" gitlabtoken # must match key in secret (gitlab) type "token" tokenauthremoteurls \ "https //gitlab com/group one/repo 1 git" \ "https //gitlab com/group two/repo 2 git" \# recommended for production gitvolume type persistentvolumeclaim step 4 deploy helm upgrade install resolve satellite \\ oci //registry 1 docker io/resolveaihq/satellite chart \\ \ values resolve values yaml key matching rule connection authconfigs \<name> must match tokenauthcredentials \<name> exactly if used, trustedcertificateoverrides \<name> must use the same key how token auth mapping works authconfigs \<name> tokenauthremoteurls defines which repositories use that auth config tokenauthcredentials \<name> provides the username/token for those repositories optional trustedcertificateoverrides \<name> adds a per auth custom cert for tls verification storage configuration satellite clones repositories into gitvolume default ( emptydir ) ephemeral default size 10gi full re clone after pod restart gitvolume type emptydir emptydir sizelimit 10gi recommended for production (pvc) persistent across restarts better for large repositories and faster restart recovery gitvolume type persistentvolumeclaim persistentvolumeclaim spec accessmodes \ readwriteonce resources requests storage 100gi advanced configuration custom ssl certificates for self hosted git with private ca or self signed certificates, set trustedcertificateoverrides using the auth config key git credentials yaml apiversion v1 kind secret type opaque metadata name git credentials stringdata tokenauthcredentials | selfhosted username \<username> token \<token> trustedcertificateoverrides | selfhosted | \ begin certificate \ end certificate gitsslnoverify (use carefully) connection gitsslnoverify true gitvolume type persistentvolumeclaim disabling ssl verification weakens transport security prefer trustedcertificateoverrides when possible disablewrites connection disablewrites true gitvolume type persistentvolumeclaim use this for strict read only mode disabledsubcommands connection disabledsubcommands \["config", "remote"] gitvolume type persistentvolumeclaim use this to block specific git \<subcommand> operations schema reference the connection schema supports inline credentials and certificate overrides for satellite deployments, we recommend storing tokenauthcredentials and trustedcertificateoverrides in a kubernetes secret ( secretname ) instead of inline resolve values yaml connection authconfigs \<authname> type "token" | "github" tokenauthremoteurls \[" "] # required for token auth tokenauthcredentials # schema supported inline form \<authname> username " " token " " trustedcertificateoverrides # schema supported inline form \<authname> | \ begin certificate \ end certificate gitsslnoverify false disablewrites true disabledsubcommands \[] gitvolume type persistentvolumeclaim repository url formats use https urls only supported examples https //github com/org name/repo name git https //gitlab com/org name/repo name git https //bitbucket org/org name/repo name git https //github company com/org name/repo name git creating personal access tokens github github supports fine grained and classic pats fine grained token (recommended) go to settings > developer settings > personal access tokens > fine grained tokens click generate new token set token name and expiration choose resource owner and repository access set repository permissions contents read only (or write if you need write/remediation) generate and copy token classic token go to settings > developer settings > personal access tokens > tokens (classic) generate token and set expiration scopes private repositories repo public only workflows public repo authorize sso for your org if required copy token classic pats with repo scope are broad prefer fine grained pats when possible gitlab go to preferences > access tokens create token with expiration add scope read repository (or additional write scopes if required) copy token how it works (satellite path) integrations gateway resolves auth configs and prepares tool commands github auth repository lists come from github installation metadata refresh token auth credentials/certs are resolved from the secret backed connection data refresh uses cloneorfetch with configured concurrency limits read commands can execute against specific refs using temporary worktrees command validation enforces path safety and blocked subcommands tooling notes read tools search, file read/list, git history/diff, metadata operations write/remediation tools suggestchange , revertcommit (when enabled) applypatch is cli only (not a remote satellite tool) troubleshooting health check failures verify token/username values in secret verify authconfigs keys match secret keys verify satellite can reach repository host verify certificate content is valid pem for custom cert overrides clone failures authentication failed token invalid/expired or missing required repo permissions network timeout/refusal repository host unreachable from satellite network disk pressure insufficient storage for clone/fetch operations invalid url format url must be https and reachable refresh issues check whether credentials changed recently validate repository host connectivity from cluster ensure there is enough storage headroom for fetch/submodule updates unexpected read only behavior check if disablewrites is explicitly true if omitted, token only auth defaults to read only check satellite version support ( v1 0 15+ required for remediation tools) frequently asked questions how often are repositories synced? repositories are refreshed during scheduled scrape/health workflows in practice this is typically every few minutes depending on your org scrape cadence can resolve ai modify my repositories? by default, write availability depends on auth type and disablewrites any github auth config + disablewrites omitted => writes enabled by default token only auth + disablewrites omitted => read only by default in both cases, pr creation/remediation still occurs through explicit user invoked workflows how much disk space do i need? plan for total repository size plus git metadata and growth a practical baseline is total repo size x 1 5 to 2 0 should i use pvc or emptydir ? use pvc for production use emptydir only when re cloning after restarts is acceptable can i use ssh urls? no use https repository urls what is the difference between github auth and token auth? github auth managed installation based auth and github metadata integration token auth direct credentials per auth config and provider flexibility both can be read only or write enabled depending on disablewrites and version support can i use both github and token auth in one integration? yes multiple auth configs can coexist under authconfigs you can combine one github auth config with one or more token auth configs only one github based auth config is currently supported per integration how do i add more repositories? github auth grant additional repos during app authorization/config update token auth add repository urls under the correct tokenauthremoteurls auth config and redeploy how do i rotate credentials? generate new token(s) update the kubernetes secret reapply secret restart satellite pods if required by your secret propagation model kubectl apply f git credentials yaml kubectl rollout restart statefulset/resolve satellite what happens if a token expires? health checks and refresh operations for that auth config will fail until token credentials are updated can i configure different permissions for different repositories? yes use multiple auth configs, each with different credentials and repository url sets this lets you isolate permissions by team, provider, or repository group are there limits on concurrent operations and repository size? there are no hardcoded per repo size limits in docs level config practical limits come from satellite cpu, memory, network throughput, and storage capacity adjust resources and storage based on repo count/size and refresh concurrency can token auth use write/remediation tools? yes, when disablewrites false and satellite version support is available ( v1 0 15+ )