From 5817e4e4f5f95ca365df321e913de3e4839869f5 Mon Sep 17 00:00:00 2001 From: Ogulcan Aydogan Date: Thu, 26 Mar 2026 07:47:46 +0000 Subject: [PATCH] Improve error message for encrypted SSH keys without password When a password-protected SSH private key is provided without the 'password' field in the Secret, the error message was misleading: "SSH agent requested but SSH_AUTH_SOCK not-specified" This change detects encrypted SSH keys early by attempting to parse the identity with ssh.ParseRawPrivateKey and checking for PassphraseMissingError. When detected, a clear error is returned pointing the user to add the 'password' field to their Secret. Fixes fluxcd/source-controller#802 Signed-off-by: Ogulcan Aydogan --- internal/controller/gitrepository_controller.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/internal/controller/gitrepository_controller.go b/internal/controller/gitrepository_controller.go index cf36de22c..29719bf3d 100644 --- a/internal/controller/gitrepository_controller.go +++ b/internal/controller/gitrepository_controller.go @@ -33,6 +33,7 @@ import ( "github.com/fluxcd/pkg/runtime/logger" "github.com/fluxcd/pkg/runtime/secrets" "github.com/go-git/go-git/v5/plumbing/transport" + ssh "golang.org/x/crypto/ssh" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" @@ -651,6 +652,22 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1 return nil, e } + // Check if SSH identity key is encrypted but no password was provided. + if opts.Transport == git.SSH && len(opts.Identity) > 0 && opts.Password == "" { + if _, err := ssh.ParseRawPrivateKey(opts.Identity); err != nil { + var missingErr *ssh.PassphraseMissingError + if errors.As(err, &missingErr) { + e := serror.NewGeneric( + fmt.Errorf("SSH identity key is encrypted but no 'password' field was provided in the secret '%s/%s'", + obj.GetNamespace(), obj.Spec.SecretRef.Name), + sourcev1.AuthenticationFailedReason, + ) + conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e) + return nil, e + } + } + } + // Configure provider authentication if specified. var getCreds func() (*authutils.GitCredentials, error) switch provider := obj.GetProvider(); provider {