Fail if SSH is used but no private key given

When using SSH, a key must be obtained from somewhere. On the command line, git would either use the ssh-agent socket, or try to use a key in ~/.ssh. go-git mirrors this, by resorting to ssh-agent if it is not given any other choices. But in the operator container, it doesn't make sense too try to use ssh-agent, because there's no chance to add keys to it -- its only purpose would be to stop go-git from complaining. So: treat it as an error if someone uses an SSH git URL, but doesn't supply a private SSH key. Signed-off-by: Michael Bridgen <[email protected]>
pulumi · Nov 8, 2022 · e9ee5ab · e9ee5ab
1 parent 35f3065
commit e9ee5ab
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/pkg/controller/stack/stack_controller.go b/pkg/controller/stack/stack_controller.go
@@ -1433,6 +1433,12 @@ func (sess *reconcileStackSession) DestroyStack(ctx context.Context) error {
 func (sess *reconcileStackSession) SetupGitAuth(ctx context.Context) (*auto.GitAuth, error) {
 	gitAuth := &auto.GitAuth{}
 
+	// check that the URL is valid (and we'll use it later to check we got appropriate auth)
+	u, err := giturls.Parse(sess.stack.ProjectRepo)
+	if err != nil {
+		return gitAuth, err
+	}
+
 	if sess.stack.GitAuth != nil {
 		if sess.stack.GitAuth.SSHAuth != nil {
 			privateKey, err := sess.resolveResourceRef(ctx, &sess.stack.GitAuth.SSHAuth.SSHPrivateKey)
@@ -1516,6 +1522,10 @@ func (sess *reconcileStackSession) SetupGitAuth(ctx context.Context) (*auto.GitA
 		}
 	}
 
+	if u.Scheme == "ssh" && gitAuth.SSHPrivateKey == "" {
+		return gitAuth, fmt.Errorf("a private key must be provided for SSH")
+	}
+
 	return gitAuth, nil
 }