Image Scanner known hosts issue

[wiikip]

I am trying to use image scan feature.
I configured everything as indicated in the documentation, the CRD ImageScan is successfuly created and updated when I push new images to my Docker Registry ( Private ECR ).
However it looks like fleet cannot update my Git repository ( AWS Code Commit ). The following error appears in the fleet-controller logs:
level=error msg="error syncing 'fleet-local/fleet-server': handler image-sync: unable to find any valid known_hosts file, set SSH_KNOWN_HOSTS env variable, requeuing"

I found that the library used to clone the repo and to commit changes was https://github.com/go-git/go-git, the reason of this error seems to be that the lib is trying to find a known_hosts file but no valid file exists cf line 220 of this file https://github.com/go-git/go-git/blob/master/plumbing/transport/ssh/auth_method.go

I tried to add ´known_hosts´ in the ssh secret used when creating GitRepo crd, but it has no effect.

A workaround would be to mount a known_host file in the fleet-controller pod but it implies editing the helm chart.

Anyone has encoutered this issue ? I feel like its linked with SSH cloning of the repo, I will give it a try using https, if someone succeed to have it working with SSH I would be interested

I am using Fleet v0.3.8

Thanks

[manno]

The go-git library used by imagescan released a fix for the known hosts issue: go-git/go-git#548
Once they cut a new release we can update fleet.

Note: In fleet only imagescan uses go-git, but checking and cloning repos is done by shelling out to git. (Well there is also some test code that also uses go-git).

[thardeck]

There is no implemented way in Fleet at the moment to provide known_hosts to go-git which is used for imagescan. Furthermore go-git by default does not allow ssh connections to unknown hosts.
Both issues need to be addressed to fix this and have a similar git behavior (accept every new host as long there is no known_hosts provided) as gitjob in other parts of Fleet.