Switch to crypto/ssh for parsing of private keys

This changes the logic for the parsing of private keys, as already done for the source-controller, so that it is able to recognize and work with a wider range of key formats instead of returning a vague error: ```console $ flux bootstrap git [..] ✗ ssh: this private key is passphrase protected ``` A patch for this was already submitted and merged in `go-git/go-git`, but is not made available in a release yet: https://github.com/go-git/go-git/pull/298 Signed-off-by: Hidde Beydals <hello@hidde.co>
2026-02-06 19:05:55 +00:00 · 2021-05-10 15:20:01 +02:00
parent 12ea028aa9
commit fbe7050cb8
1 changed files with 15 additions and 1 deletions
--- a/cmd/flux/bootstrap_git.go
+++ b/cmd/flux/bootstrap_git.go
@@ -30,6 +30,7 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
+	cryptossh "golang.org/x/crypto/ssh"
 	corev1 "k8s.io/api/core/v1"

 	"github.com/fluxcd/flux2/internal/bootstrap"
@@ -232,7 +233,20 @@ func transportForURL(u *url.URL) (transport.AuthMethod, error) {
 		}, nil
 	case "ssh":
 		if bootstrapArgs.privateKeyFile != "" {
-			return ssh.NewPublicKeysFromFile(u.User.Username(), bootstrapArgs.privateKeyFile, gitArgs.password)
+			// TODO(hidde): replace custom logic with https://github.com/go-git/go-git/pull/298
+			//  once made available in go-git release.
+			bytes, err := ioutil.ReadFile(bootstrapArgs.privateKeyFile)
+			if err != nil {
+				return nil, err
+			}
+			signer, err := cryptossh.ParsePrivateKey(bytes)
+			if _, ok := err.(*cryptossh.PassphraseMissingError); ok {
+				signer, err = cryptossh.ParsePrivateKeyWithPassphrase(bytes, []byte(gitArgs.password))
+			}
+			if err != nil {
+				return nil, err
+			}
+			return &ssh.PublicKeys{Signer: signer, User: u.User.Username()}, nil
 		}
 		return nil, nil
 	default: