I would use a git sync image (there are quite many out there). This way you should use read-only access (PAT token you mentioned should not provide write access to the repo). It has support for reading from different branches, just need to pass the value to it (easily through a helm chart). And the good thing is that you can further sync the configuration (if your microservice supports it).

I see all the other solutions more complicated.

I think we can do it simple way. you can use helm with hookScript my idea is

1. when you deployment with empty PVC with quota specify
2. then apply URL of through Configmap or environment variable or Helm variable
3. after that when hook just use git clone from you FILE_DOWNLOAD_GIT_REPO to your PVC mount. that it :)

rid unnecessary step and can reusable. right ? :) Sorry i'm so sleepy can't write sample helm for you. But hope you get an idea. :)

I would suggest using some kind of Storage and then using an NFS drive of some kind.

There is a few considerations you have to take into account: - how many writes are there - how many reads - what are the typically file size

I would advise against using the startup script to download it, as that will make your container much slower to bring up, in general, the container should be ready to serve traffic when you start it. You can do something like this on Azure https://docs.microsoft.com/en-us/azure/storage/blobs/storage-how-to-mount-container-linux

if you are using AKS you can use Azure File persistent volume claim to create the configuration, you can use file share in read-only more, that would give better security.

In my mind all the other options are a lot less convenient (and arguably less secure)

use init container to load the configuration folder from git repo into a shared volume between init container and main container