Use private key, not client secret, when setting up nbgitpuller

Added a document note about using the RSA private key,
**not** the client secret.

config/clusters/2i2c-aws-us/enc-neurohackademy.secret.values.yaml

@@ -8,7 +8,7 @@ jupyterhub:
         extraFiles:
             github-app-private-key.pem:
                 mountPath: ENC[AES256_GCM,data:E7XeswjGH6fiO5Uygu6h/s1X++SQyPH6GmZZiGJsib/vcHyD4N4=,iv:2OAJbzgI7fyoxI4gjKsJmFoKlqeNE4IvypOG7gz6+uo=,tag:buQu1bzbPgxCzYlaK+mbXQ==,type:str]
-                stringData: ENC[AES256_GCM,data:Ixe8w/uQRpPhyOmPUKIRqtEuQ9gXQ5VspYlrT6UXukEr46uhJs3KXFQ=,iv:/7Hx2dTFbhnYtKU+EUBn/thoDcfRS126y1mBN4NTp08=,tag:mXtSiBBqv6gJg04RrVyaqg==,type:str]
+                stringData: ENC[AES256_GCM,data:IaB6k4lXLk95hiZgaE6Lf+bBzFBpwZRdBvE1UNQG5hcOFnf9hTbRva0NKDgrzCWJyO/DxZh8IgZx+UIr3Z5fd781AGsKVv6sA0XSJ3wg0JeoEHqYb1DR3AfbkoroFwJjNQJM+98A591Hwzd/yTWJpW3cKDYU3Ocb7KfPKO4vml3vX49oUfd+NkGDlK1JtbebMSETy5rSGrv4NTwhkCL+CFi6zPcwSc+OtYCtUdPQ8oKkbCscwXkep+2CgONRCm5qnKpBtTBg9Ke/GAbPRjodXIW/TZRCS//aRnuf7Zjss6fLW6OP498h2WSh9JbOYRGUhEy6XUHA7Ee2xOVZ7kDR74Pb0yHqFuYPm4lG9+bxRkYZYqoEQ1C+TzB0ymAxjDULjcIkSWtKtL3EjQIqJ5endwsR+nM8a4FvYtHxbSufB7uSQ0DCFYR/5tJ1B/dCBNUCVoJhi0Qp/0xhx3+9ASBSHfs4CgQGUc+1KTPrDTVu7vWqP0vfefOhHT5EQZLdD9Rx0vhHcleXOQfDRam2D7koyq439etMnJSGECq5aXEaTzooIVZV+Sgi7YqfaOFH8TxZZn2My7UmwA2dkQr0WkzuB3mUVQwPzvnSq3Cvx5M/6C+GUUm4wyKG1lk0D2fL0Tc4HtXWzmMfeEpzIJkSok3Y7RlLNEedq2aqaty3cu5ETQiGIFT/zzNkKfmOuSPqSDCYnWJ9XtYCKpsrNcw+IcUXP3DKkvcuiGgneEq9VMu8Yg3XTNQ2e/FeboYONvXBqSJjF2g2Y3zBwJQXIFSiNAaLfA3KB96SfmJccw24HOSnKikqIK2Ql0P1fVCNOrXsPtJ4ahE8dIPibCW5MxWV+mdMJEfeeYBjG4AiRJY96L1N/f+RWmh1H2lAjMQs+7+U3s55WaVM8rDD874+mX0zeCSFhrMqQ1XdnGSPraGhzkNb1oCj8Ec35TKhyuWRfrjWP4IEU89TvuYR4L+mOoZOG8lKY2oahZSrhajs7GfDi4p1A6+sfz4Q5FZoqilQKhUDfgK0I0wW559rTBJ206UbTcOgEhxb76d9ayDcIcxNo3eYJG2N1/6as0qQ2vCavX7mvd3kFHYKic++V/dt3dDVJ/8gSCxvf4OvTAcE+57t2izzvuMr0yi/edPyzPhVjQOT/s2cyASrLzUfuAGynLcNciPe0J5ES7xJddI4704PYWkDy0boJu3uRFw8OAd8JhY5b/c38xDqQ9nnTdk+2DUlSyhI2nXoQ5XUFBpb1NnJmQqWFM7bVkozbQoIwsOYYF0D21PL5y5ZhiGy9YECFzGCFClDUoxZ/aHikxqAOiVAtQylBuyy3uv0vsUTIDsS7bqCjP5KZPMJdKPBI4BqkTzm2l7Gg3ZZ+MyBFcPXj/HNQwY8uwNwULgMBTbtGISUMTD/lB/a87d6/TzKq+FNrHYv/iGtdiCKzw7XwmXAxKWGVgiJy/5TuLMItWPpfbtDvHOMEIBzG9WkBUNK8tZ/nWElgjXnmKee6CtXpgKVlyEZOuS4a/dDqAoubXuUC5WtzM5kWy1g8YYpfiPXfGqq3zKxgjH2mWLql3Uyvl567AQeK8guKgkfwMa/Um1AqMtHVix1slq/6xkOABpNSo6SVf//8jHNv0XbGXXayxrYIRI8AtbmQUOeqfqpeWaxpih80hWBIpC25pLgOjp79c9VHA7V57gSJ7Dny+waYlu5ABUlrYGQIvNtNkkGxOug5ibgCsZsYGvzMndD6va9aOmuQXZOSz5cg1spcMtKgy3k6R9f/tix0Z/fLFjOD42Vis0QO2iW3dOVca3r7FR5CcfJeAe7n0OEjXX4u5WL/wvJlkm+6V/CU3LW8xD30zOD2Kkn9FoUuT1neRVRlgsQQomnuSwHAbx3tYC7GB034tPde0ziEVPX1s7YOEuXcI1X3+redf9MzoSvQDlZTM27zT7h4b79P2dhaxFet2OADDiucz7WPgmtTbTuYtGbD2b8IxeNZqUyGBWcnXUAjlVPp2CjQ3zjPy128KKUvgx9A5lCXuUzzJkGyOMTWY4TsfTIMQC+gbYjqKT4aSZP/1a6qhKUVUaTOAAB95OpzF3kqUzICCuwz6h0h+upH9D5v7qKwIN1o2Qewe1SrYinC9w0f+bvPEYz0ukfmrOw/VJygu0vwc2G52Jp2H2YF8LBHd8tpYD6cH3CpMst81hupuxffiq7yqDXatClzues8e3h79q4Qpwx4hX4EKdfM9gMT+seRECXfiuaN2w=,iv:lW2CgJ3d6ezU7r/xTW6wfE8x0gL4U/qZg1J7CKGhwg0=,tag:LkX+XijXVyY6lnyH6K+qeA==,type:str]
 sops:
     kms: []
     gcp_kms:
@@ -18,8 +18,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-07-19T08:25:42Z"
-    mac: ENC[AES256_GCM,data:bHMR10y8ON4MJrlZatkyDJWQ3P/SuCJq/yT/Pk+CJwiqcjOCXt2ryCWIwrCyBZ2VimZ3jskScLChgyBfMdMainmDbaV77Id9r5515KWRGRXh3ZXV+/4ASqfnQZBcJ39g7lSuUQpSfVWzA76yOWqxb6bzlYOUrQL9MuhyzvzObfU=,iv:fQaTE/JwXlyARI40wnNe76HF93kLmJc5NO5CniC4Wbo=,tag:Bfo9x0xtcWNaC/DmHMzmvg==,type:str]
+    lastmodified: "2024-07-22T20:42:28Z"
+    mac: ENC[AES256_GCM,data:BiXoEKzovCBddQzV+bJDMUuBPYGyRvOCvRKsDPlBf7brIY91mtacTc8FJhCynKDcckIc9RmQY7wrIjj036va1yjQbu5hkoRTFEsMKWwlQ+9QvjKge4TU1RCtmlVNFBElPoD7BMZUP0KkyH3LofiHOlDN69eZOHR9yy5AdzSF6TQ=,iv:kvgSA+hmgpC9ADXR0dt4YGsoHGwejQnvw1D5qzFUAaY=,tag:ifxxojOJ+hVU/Lj76bRaFw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

docs/howto/features/private-nbgitpuller.md

@@ -40,7 +40,9 @@ to pull private repos as static content.
 
 8. Create a new private key for authentication use with the `Generate a private key`
    button. This should download a private key file, that you should delete after
-   putting it in the appropriate config (in the next step)
+   putting it in the appropriate config (in the next step).
+
+   You must use the **private key**, not a **client secret** here.
 
 ## Helm values configuration
 
@@ -60,13 +62,13 @@ the app we just created.
              helper = !git-credential-github-app --app-key-file /etc/github/github-app-private-key.pem --app-id <app-id>
              useHttpPath = true
    ```
-   
+
    Unfortunately, the `<path-to-git-config>` depends on *how* `git` is
-   installed inside the image. 
+   installed inside the image.
 
    a. The most common situation is `git` is installed from `apt` or the system
       package manager, and not `conda`. In this case, `mountPath` is `/etc/gitconfig`.
-      
+
    b. If `git` is installed from conda, it will
       *not* read `/etc/gitconfig` (see [bug](https://github.com/conda-forge/git-feedstock/issues/113),
       but `${CONDA_PREFIX}/etc/gitconfig`. So, *if* the image installs `git` from
@@ -88,12 +90,17 @@ the app we just created.
            mountPath: /etc/github/github-app-private-key.pem
            stringData: |
              <contents-of-the-private-key-file>
-            
+
    ```
-   
+
    Make sure this file is also listed under `helm_chart_values_files` for the hub in
    the cluster's `cluster.yaml` so it is read during deployment.
 
+   ```{warning}
+   This should be the private key, a multiline file that starts with
+   `BEGIN RSA PRIVATE KEY`, not the simpler client secret.
+   ```
+
 3. Once set up, do a deploy to test!
 
 ## Grant access to the private repo