unable to clone: ssh: not an encrypted key #281
Description
flux bootstrap git
$ flux bootstrap git \
--url="https://xxx.git" \
--components-extra="image-reflector-controller,image-automation-controller" \
--branch=flux2 \
--path="clusters/develop" \
--username="username" \
--password="password" \
--ssh-key-algorithm=ed25519 \
--registry="registry" \
--image-pull-secret="docker-registry" \
--log-level="debug" \
--verbose
flux check
$ flux check
► checking prerequisites
✔ Kubernetes 1.20.11 >=1.19.0-0
► checking controllers
✔ helm-controller: deployment ready
► xxx/helm-controller:v0.14.1
✔ image-automation-controller: deployment ready
► xxx/image-automation-controller:v0.18.0
✔ image-reflector-controller: deployment ready
► xxx/image-reflector-controller:v0.14.0
✔ kustomize-controller: deployment ready
► xxx/kustomize-controller:v0.18.2
✔ notification-controller: deployment ready
► xxx/notification-controller:v0.19.0
✔ source-controller: deployment ready
► xxx/source-controller:v0.19.2
✔ all checks passed
Error logs
$ kubectl logs -f --tail 3 image-automation-controller-84cf556948-jfxkk ✘ 130
{"level":"debug","ts":"2021-12-16T07:17:05.288Z","logger":"controller.imageupdateautomation","msg":"attempting to clone git repository","reconciler group":"image.toolkit.fluxcd.io","reconciler kind":"ImageUpdateAutomation","name":"flux-system","namespace":"flux-system","gitrepository":{"namespace":"flux-system","name":"flux-system"},"ref":{"branch":"flux2"},"working":"/tmp/flux-system-flux-system15573190"}
{"level":"debug","ts":"2021-12-16T07:17:05.399Z","logger":"events","msg":"Normal","object":{"kind":"ImageUpdateAutomation","namespace":"flux-system","name":"flux-system","uid":"c1039b40-f393-47c9-939f-4d3b40f5f8ab","apiVersion":"image.toolkit.fluxcd.io/v1beta1","resourceVersion":"1109830"},"reason":"error","message":"unable to clone: ssh: not an encrypted key"}
{"level":"error","ts":"2021-12-16T07:17:05.416Z","logger":"controller.imageupdateautomation","msg":"Reconciler error","reconciler group":"image.toolkit.fluxcd.io","reconciler kind":"ImageUpdateAutomation","name":"flux-system","namespace":"flux-system","error":"unable to clone: ssh: not an encrypted key","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:227"}
ImageUpdateAutomation yaml
apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImageUpdateAutomation
metadata:
name: flux-system
namespace: flux-system
spec:
git:
checkout:
ref:
branch: flux2
commit:
author:
email: fluxcdbot@xxx.xxx
name: flux2
messageTemplate: '{{range .Updated.Images}}{{println .}}{{end}}'
push:
branch: flux2
interval: 1m0s
sourceRef:
kind: GitRepository
name: flux-system
update:
path: ./clusters/develop
strategy: Setters
Possible reason
I searched for the string "not an encrypted key" in the project and found that there is a problem with the logic of checking ssh privatekey,the privatekey generated by ssh-keygen must not have a header Proc-Type.
{"Type":"PRIVATE KEY","Headers":{},"Bytes":"MC4CAQAwBQYDK2VwBCIEIDoJ9G/UwI5GZU+DYKN1eBoVAAd44R9GdhGI164dL9T3"}
GOPATH/pkg/mod/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b/ssh/keys.go:1150
func ParseRawPrivateKeyWithPassphrase(pemBytes, passphrase []byte) (interface{}, error) {
block, _ := pem.Decode(pemBytes)
...
if !encryptedBlock(block) || !x509.IsEncryptedPEMBlock(block) {
return nil, errors.New("ssh: not an encrypted key")
}
...
}
func encryptedBlock(block *pem.Block) bool {
return strings.Contains(block.Headers["Proc-Type"], "ENCRYPTED")
}