search

fluxcd / flux

Successor: https://github.com/fluxcd/flux2
https://fluxcd.io
Apache License 2.0
6.9k stars 1.08k forks source link

Update GitHub host key #3570

Closed stefanprodan closed 2 years ago

stefanprodan commented 2 years ago

GitHub has changed its SSH host keys from DSA to ECDSA, we need to update the know_hosts generated by https://github.com/fluxcd/flux/blob/master/docker/known_hosts.sh and publish a new container image.

kingdonb commented 2 years ago

Testing indicated that Flux users who have generated their SSH keys in the default way, will not run afoul of these key changes.

It seems that RSA keys with SHA-2 signatures can still be accepted, and Flux v1 generates those keys in the way that GitHub still finds acceptable. The only users who should be affected by this are folks who have generated an ECDSA or Ed25519 key, since they will need the new host keys that have only just been published and started being used by github.com today.

I'm still preparing 1.24.3 in the release branch and will do a release ASAP, but as long as we don't see users reporting this issue I think we are unlikely to see any droves of Flux v1 users affected by this issue, only those that have chosen their own keys.

(The diff in #3571 indicates that no keys have been removed, and the blog post from https://github.blog/2021-09-01-improving-git-protocol-security-github/ seems to back that up -- only DSA keys support, and newly uploaded SSH keys with SHA-1 signatures, should have been disabled today. Flux v1 apparently depends on neither of those in the default configuration. 👍)

bobalong79 commented 2 years ago

Hi, it seems my clones have stopped working and I'd appreciate any tips on how to generate a new key and get back online.

Edit - I've just seen this discussion so should be ok with that: https://github.com/fluxcd/flux2/discussions/2097

kingdonb commented 2 years ago

Thanks for your report @bobalong79 -- can I assume you solved this, and you are using Flux v2 (not Flux v1)?

I am still looking for any reports from Flux v1 users who might need this published into a release. I'm planning on doing the release today, since without it CI would have broken. But if there is no class of Flux v1 user who would have been affected, (and so far we haven't identified any), then I just want to note that in the release notes.

So far in my testing, I found that Flux v1 was not affected, other than the CI which needed an update to keep running. Either Flux is automatically adding the new keys, as Git is smart enough to do that (I'm guessing this happens with the UpdateHostKeys extension) or something else that I don't understand means this issue does not affect Flux v1 users.

I'll be pushing the new release out in a couple of hours. Will police up any new issue reports that might have been posted to Flux v1 or Helm Operator in the last few days just in case I have missed something.

bobalong79 commented 2 years ago

Yes I solved it by manually changing the known_hosts entry in the flux-configuration secret. I'm running flux2:

$ flux version
flux: v0.22.0
helm-controller: v0.11.1
image-automation-controller: v0.14.0
image-reflector-controller: v0.11.0
kustomize-controller: v0.13.1
notification-controller: v0.15.0
source-controller: v0.15.3