• Backups
• Cox home network facts
• Dotfiles
  • Neovim's Lazy.vim
  • Zsh
    • OS Detection
    • Parsing options
    • Startup performance
• Email
  • Running sieve locally
  • Sieve
• Fun Holidays
• Gaming
  • Mobile Games
• Gaming PC Hardware
• Gitlab
  • Automatically adding UptimeRobot to Gitlab's monitoring whitelist with ansible
  • Caching CI stuff with Minio
  • Fixing SAML association for a Gitlab user
  • Having a little fun with Gitlab's join date
• Good RFC
• Homelab
  • AUR Repo
  • Bootstrap
    • (NAS) Garage S3
    • Dedicated Server
    • IOFlood (Netherite)
    • Soft Serve
    • Synology NAS
    • ntfy.sh
  • Step-CA
  • Tech Stack
  • VLANs
• IPv6
• Kubernetes
  • Get Root CA
  • New SSH Fingerprints to Flux
  • Talos OIDC setup
• Linux
  • Backups
  • Desktop Customization
  • Disabling WiFi
  • Getting disk serial number
  • Monitoring
  • Non-root users can ping
  • Pacman hooks
  • PowerDNS administration
  • Reboot Criteria
  • Systemd version via DBus
  • Text-to-speech locally
• MacOS
  • Local backups
• Meta - Digital Garden
• Meta - Test Page
• OpenID Connect
• Packing List
• Ruby
  • Fixing Fakeweb & Coveralls conflict
  • Generating a webpage screenshot
• SQLite Booleans
• Security
  • Password reset via HMAC
• Smarthome
• Web Design
  • Icon Libraries
  • SVG Icons
  • Various Ideas

New SSH Fingerprints to Flux

Getting the following error from FluxCD:

gitrepository/flux-system.flux-system
failed to checkout and determine revision: unable to list remote for ‘ssh://flux@var.aether.earth:22222/sys/flux-config.git’: ssh: handshake failed: knownhosts: key mismatch

So how to fix?

This error means the SSH host key for my git server (var.aether.earth) has changed.

The Flux controller (which is the SSH client here) has a known_hosts file stored in a Kubernetes secret. This file contains the host key it expects from var.aether.earth. The server is now presenting a different key, causing this “key mismatch” error to prevent a potential man-in-the-middle attack.

This typically happens if the git server was re-installed or its SSH host keys were regenerated.

---

How to Fix It

I need to update the known_hosts data within the Kubernetes secret used by Flux.

1. Find my Flux SSH Secret

First, find the name of the secret my GitRepository object is using.

kubectl get gitrepository flux-system -n flux-system -o jsonpath='{.spec.secretRef.name}'

(This will likely output flux-system, but confirm it.)

2. Get the New Host Key

Run ssh-keyscan against my Git server (soft-serve) to get its new, correct public key. Make sure to use the correct port.

ssh-keyscan -p 22222 var.aether.earth > new_known_hosts

(This saves the new key to a file named new_known_hosts.)

3. Update the Kubernetes Secret

Now, patch the secret with this new known_hosts file. We’ll base64-encode the file and send it directly.

Replace flux-system below if the secret name from Step 1 was different.

# Bash or Zsh
kubectl patch secret flux-system \
  -n flux-system \
  -p="{\"data\":{\"known_hosts\":\"$(cat new_known_hosts | base64 -w0)\"}}"

(Note: The -w0 flag for base64 prevents line wrapping, which is important for the patch.)

4. Restart the Source Controller

Finally, restart the Flux source-controller pod to force it to reload the updated secret.

kubectl rollout restart deployment/source-controller -n flux-system

After the pod restarts, Flux should be able to connect to my soft-serve server successfully.

Backlinks

• Soft Serve