strictHostKeyChecking and ignoreLocalSshSettings are not working in spring cloud config server

[himnay]

We are running the spring config server on Eks pods. Service needs to clone the git repo during startup using SSH. We have the key pair generated, and it works fine locally on a VM, i.e outside the cloud environment, but breaks inside the k8s pod. After investing, we found the issue is that the config server looks for .ssh/known_hosts and the server key for validation. We have since run in pods that obviously cannot be set up as .ssh/know_hosts. We tried using the property below to ignore these checks, but the config server doesn't respect this property.

//application.yml
type: git
cloneOnStart: true
uri: ssh://git@*******.com/xx/yyy.git
skipSslValidation: true
ignoreLocalSshSettings: true
strictHostKeyChecking: false
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
*****************
*****************
-----END RSA PRIVATE KEY-----

// exception
Exception:
Caused by org.eclipse.jgit.api.errors.TransportException: ssh://git@****.com/xx/yyy.git: Server key did not validate
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:249)
....
....
at org.springframework.cloud.config.server.environment.JGitEnvironnmentRepository.cloneToBaseDir(JGitEnvironmentRepository.java:659)
...
...
Caused by org.eclipse.jgit.api.errors.TransportException: ssh://git@****.com/xx/yyy.git: Server key did not validate
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:249)
at org.eclipse.jgit.transport.sshd.SshdSessionFactory.getSession(SshdSessionFactory.java:267) 

[ryanjbaxter]

Does it work if you do not use cloneOnStart? Can you provide the complete application.yaml?

[himnay]

Hi Ryan,
There is nothing wrong with the property setup or hierarchy. As I told you, it works perfectly when you have a .ssh/known_hosts and sshkey domain and validation key. I have alternately put this code to make it work on the eks pod, i.e. I need to make sure SshSessionFactory uses PropertyBasedSshSessionFactory instead of SshdSessionFactory explicitly. This behaviour is a bug or needs to be documented.

    @Bean
    public SshSessionFactory sshSessionFactory() {
        Map<String, JGitEnvironmentProperties> sshKeysByHostName = new HashMap<>();
        JGitEnvironmentProperties gitProperties = new JGitEnvironmentProperties();
        gitProperties.setUri("ssh://[email protected]/xx/yyy.git");
        gitProperties.setPrivateKey(
            "-----BEGIN RSA PRIVATE KEY-----\n"
            + "MIIEowIBAAKCAQEA... (your private key content here) ...\n"
            + "-----END RSA PRIVATE KEY-----\n"
        );
        gitProperties.setStrictHostKeyChecking(false);

		
        sshKeysByHostName.put("git.your-repo.com", gitProperties);
        PropertyBasedSshSessionFactory factory = new PropertyBasedSshSessionFactory(sshKeysByHostName);
        SshSessionFactory.setInstance(factory);

        return factory;
    }

[ryanjbaxter]

But you seem to be saying that the configuration to used PropertyBasedSshSessionFactory works fine unless you are running the application on Kubernetes, so I am trying to understand the cause of that. To me it seems like something might be wrong with the configuration when running on Kubernetes.

[himnay]

PropertyBasedSshSessionFactory is never getting used(no matter its in or out of the k8s pod) without explicitly creating and setting it in SshSessionFactory. At present, current behaviours use only SshdSessionFactory. The spring configuration server uses properties to initiate its internal beans but only uses SshdSessionFactory.