Unknown SSH Hosts

When adding git repositories using SSH, you might see and error about unknown hosts. This is because git server's SSH public key is not known to ArgoCD

TL;DR

• Find servers public SSH host key from your local machine ( assuming you are already connecting from your local machine to your git repo using SSH

ssh-keyscan <SERVER_NAME>

• Copy the contents

• In ArgoCD UI Admin settings go to Settings > Repository Certificates > Add SSH Known Hosts Paste the contents copied earlier into the SSH known hosts text box, and click create. If the contents are good then you will not see any error.

• At this point you should be able to add a new repository to Argocd.

v1.2 or later

If you are using a privately hosted Git service over SSH, then you have the following options:

You can let ArgoCD connect the repository in an insecure way, without verifying the server's SSH host key at all. This can be accomplished by using the --insecure-skip-server-verification flag when adding the repository with the argocd CLI utility. However, this should be done only for non-production setups, as it imposes a serious security issue through possible man-in-the-middle attacks.

You can make the server's SSH public key known to ArgoCD by using the cert add-ssh command of the argocd CLI utility. This is the recommended method and suitable for production use. In order to do so, you will need the server's SSH public host key, in the known_hosts format understood by ssh. You can get the server's public SSH host key e.g. by using the ssh-keyscan utility.

Note

It can take up to a couple of minutes until the changes performed by the argocd cert command are propagated across your cluster, depending on your Kubernetes setup.

Note

When importing SSH known hosts key from a known_hosts file, the hostnames or IP addresses in the input data must not be hashed. If your known_hosts file contains hashed entries, it cannot be used as input source for adding SSH known hosts - neither in the CLI nor in the UI. If you absolutely wish to use hashed known hosts data, the only option will be using declarative setup (see below). Be aware that this will break CLI and UI certificate management, so it is generally not recommended.