Michael Perju
01/12/2023, 3:46 PM{"log.level":"error","@timestamp":"2023-01-12T15:21:04.187Z","log.logger":"cerbos.git.store","message":"Failed to initialize git store","dir":"/policies","error":"failed to clone from git@github.com:utilitywarehouse/cerbos-policies.git to /policies: unable to find any valid known_hosts file, set SSH_KNOWN_HOSTS env variable"}
cerbos: error: failed to create store: failed to clone from git@github.com:utilitywarehouse/cerbos-policies.git to /policies: unable to find any valid known_hosts file, set SSH_KNOWN_HOSTS env variable
WHAT I'VE TRIED:
⢠Mounting a hardcoded known_hosts
file - makes it WORK ā
I am not sure this is a good approach, since the public keys of github may rotate in the future and the hardcoded file will be invalid.
⢠Mounting a ssh_config
inside /etc/ssh/ssh_config
, as well as in /.ssh/config
, configuring SSH to ignore the kown_hosts file
- Does not work ā
THOUGHTS:
At the moment, I think only hard-copying the known_hosts
file. A better approach, though not standard, would be to ignore checking the known hosts at all. That is done via SSH configuration, but the docker image ignores any mounted configuration files.Charith (Cerbos)
01/12/2023, 3:55 PMknown_hosts
file for just the host you're interested in (ssh-keyscan <http://github.com|github.com>
) and mounting it at /etc/ssh/ssh_known_hosts
. If you're in Kubernetes, you can do this with an init container as well.Michael Perju
01/12/2023, 10:09 PM