Generate keys in a separate tmpfs volume
In Kubernetes >= 1.10, secrets (and config-maps) will be mounted
read-only. This means we cannot use the tmpfs volume used for the
deploy secret as a workspace for generating new keys (and that we have
to mount the secret with the right mode, since we won't be able to
Instead, require _another_ tmpfs to be mounted, and use that. The new,
mandatory flag `--ssh-keygen-dir` is for providing the path. It's
mandatory so that it's harder to accidentally just use a "regular" bit
of the filesystem to generate keys and thereby put them on disk.
So we can still use stable paths, both possible stable locations of
the private key are mentioned in ~/.ssh/config (in the Docker image).