Add support for adding a known_hosts volume mount #1549
Description
Is your feature request related to a problem? Please describe.
Our Terraform modules are located in private GIT repositories and we use SSH to clone these modules.
Cloning these Terraform modules using Terranetes works fine because the setup container has the following ssh_config:
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
This configuration disables the host key verification. Please note that this is also a potential security vulnerability. Normally, SSH checks the host key against a known list to ensure you’re connecting to the correct server. By setting StrictHostKeyChecking to no, you bypass this check, which can lead to connecting to untrusted or malicious servers without any warning.
In addition to this potential vulnerability we also have some Terraform modules with child Terraform modules, the child modules are cloned by Terraform within the init container, which does not have the ssh_config, disabling the host key verification. This causes the following error to occur:
│ on main.tf line 23:
│ 23: module "child-module" {
│
│ Could not download module "child-module" (main.tf:23)
│ source code from
│ "git::ssh://[email protected]:443/child-module.git":
│ error downloading
│ 'ssh://[email protected]:443/child-module.git':
│ /usr/bin/git exited with 128: Cloning into
│ '.terraform/modules/child-module'...
│ Host key verification failed.
│ fatal: Could not read from remote repository.
The host key verification fails because the known_hosts file is not configured.
Describe the solution you'd like
It would be nice if we can mount a known_hosts file into the init and setup container. And remove the potential insecure ssh_config from the setup container.
Describe alternatives you've considered
We now use our own job.yaml where we add a known_hosts volume mount. But this is hard to maintain.