Merge pull request #107 from meshcloud/feature/configure_known_hosts_in_terraform_runner

meshkodiak[bot] · web-flow · commit 62b695ed1d82 · 2022-11-28T12:28:23.000Z
feat: configurable known hosts for ssh
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,7 +9,7 @@
 - no changes
 
 ### Terraform Runner
-- no changes
+- Configure known hosts via environment variable
 
 ## v1.7.3
 
diff --git a/terraform-runner/Dockerfile b/terraform-runner/Dockerfile
@@ -23,6 +23,8 @@ RUN mkdir ~/unipipe
 COPY run-unipipe-terraform.sh /root/unipipe/run-unipipe-terraform.sh
 RUN chmod 0755 ~/unipipe/run-unipipe-terraform.sh
 
+# We add known_hosts entries for GitHub because they can be queried safely and we use them for development
+# For other git servers, set the KNOWN_HOSTS environment variable of the container
 RUN mkdir ~/.ssh
 RUN curl --silent https://api.github.com/meta \
   | jq --raw-output '"github.com "+.ssh_keys[]' >> ~/.ssh/known_hosts
@@ -31,4 +33,4 @@ COPY entry.sh /root/unipipe/entry.sh
 RUN chmod 0755 /root/unipipe/entry.sh
 
 CMD ["/usr/sbin/crond", "-f", "-l", "8"]
-ENTRYPOINT ["/root/unipipe/entry.sh"]
+ENTRYPOINT ["/root/unipipe/entry.sh"]
diff --git a/terraform-runner/README.MD b/terraform-runner/README.MD
@@ -33,3 +33,14 @@ as you can see in the following:
 docker pull ghcr.io/meshcloud/unipipe-terraform-runner:latest
 docker run -t -i -e GIT_SSH_KEY="$(<my-ssh-key-file)" --env-file env.list ghcr.io/meshcloud/unipipe-terraform-runner:latest
 ```
+
+By default terraform-runner trusts GitHub's public SSH keys.
+If you work with a remote repo that is not hosted on GitHub, you need to set the KNOWN_HOSTS environment variable.
+
+```
+docker run -it \
+-e GIT_SSH_KEY="$(<my-ssh-key-file)" \
+-e KNOWN_HOSTS="$(<my-known-hosts-file)" \
+--env-file env.list \
+ghcr.io/meshcloud/unipipe-terraform-runner:latest
+```
diff --git a/terraform-runner/run-unipipe-terraform.sh b/terraform-runner/run-unipipe-terraform.sh
@@ -5,6 +5,10 @@ set -o errtrace
 set -o pipefail
 set -o nounset
 
+if [[ -n $KNOWN_HOSTS ]]; then
+   echo "$KNOWN_HOSTS" > ~/.ssh/known_hosts
+fi
+
 REPO_NAME=instances-repo
 REPO_DIR=~/unipipe/$REPO_NAME
 if [[ ! -d "$REPO_DIR" ]]; then
@@ -21,4 +25,4 @@ cd $REPO_DIR
 
 /usr/local/bin/unipipe git pull $REPO_DIR
 /usr/local/bin/unipipe terraform $REPO_DIR
-/usr/local/bin/unipipe git push $REPO_DIR -m "processed instances via unipipe terraform"
+/usr/local/bin/unipipe git push $REPO_DIR -m "processed instances via unipipe terraform"
