Prevent attack on baked-in host keys

[squaremo]

We bake a known_hosts file with entries for github.com, gitlab.com and bitbucket.com into the fluxd and helm-operator images, for convenience when using them with these services (it means you don't have to supply a known-hosts of your own).

However, an attacker with some access to the build process could substitute bogus host keys.

[stephenmoloney]

So for reference purposes, the fingerprints (against which the ssh keys can be verified) for some of the vendors are outlined in links below:

Vendor	Url
gitlab.com	https://docs.gitlab.com/ee/user/gitlab_com/#ssh-host-keys-fingerprints
github.com	https://help.github.com/articles/github-s-ssh-key-fingerprints/
bitbucket.com	https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html?_ga=2.218915353.1800597462.1533976560-140885449.1533976560

[stephenmoloney]

Added a script to check against pre-baked keys that came from the references above.

Ref: #1283

[stephenmoloney]

can close now !