Skip to content

unable to clone: ssh: not an encrypted key #281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tracked by #2593
zhongyiio opened this issue Dec 16, 2021 · 3 comments
Closed
Tracked by #2593

unable to clone: ssh: not an encrypted key #281

zhongyiio opened this issue Dec 16, 2021 · 3 comments

Comments

@zhongyiio
Copy link

zhongyiio commented Dec 16, 2021
edited
Loading

flux bootstrap git

$ flux bootstrap git \
  --url="https://xxx.git" \
  --components-extra="image-reflector-controller,image-automation-controller" \
  --branch=flux2 \
  --path="clusters/develop" \
  --username="username" \
  --password="password" \
  --ssh-key-algorithm=ed25519 \
  --registry="registry" \
  --image-pull-secret="docker-registry" \
  --log-level="debug" \
  --verbose

flux check

$ flux check
► checking prerequisites
✔ Kubernetes 1.20.11 >=1.19.0-0
► checking controllers
✔ helm-controller: deployment ready
► xxx/helm-controller:v0.14.1
✔ image-automation-controller: deployment ready
► xxx/image-automation-controller:v0.18.0
✔ image-reflector-controller: deployment ready
► xxx/image-reflector-controller:v0.14.0
✔ kustomize-controller: deployment ready
► xxx/kustomize-controller:v0.18.2
✔ notification-controller: deployment ready
► xxx/notification-controller:v0.19.0
✔ source-controller: deployment ready
► xxx/source-controller:v0.19.2
✔ all checks passed

Error logs

$ kubectl logs -f --tail 3 image-automation-controller-84cf556948-jfxkk                                                                                                                                                                                                                             ✘ 130
{"level":"debug","ts":"2021-12-16T07:17:05.288Z","logger":"controller.imageupdateautomation","msg":"attempting to clone git repository","reconciler group":"image.toolkit.fluxcd.io","reconciler kind":"ImageUpdateAutomation","name":"flux-system","namespace":"flux-system","gitrepository":{"namespace":"flux-system","name":"flux-system"},"ref":{"branch":"flux2"},"working":"/tmp/flux-system-flux-system15573190"}
{"level":"debug","ts":"2021-12-16T07:17:05.399Z","logger":"events","msg":"Normal","object":{"kind":"ImageUpdateAutomation","namespace":"flux-system","name":"flux-system","uid":"c1039b40-f393-47c9-939f-4d3b40f5f8ab","apiVersion":"image.toolkit.fluxcd.io/v1beta1","resourceVersion":"1109830"},"reason":"error","message":"unable to clone: ssh: not an encrypted key"}
{"level":"error","ts":"2021-12-16T07:17:05.416Z","logger":"controller.imageupdateautomation","msg":"Reconciler error","reconciler group":"image.toolkit.fluxcd.io","reconciler kind":"ImageUpdateAutomation","name":"flux-system","namespace":"flux-system","error":"unable to clone: ssh: not an encrypted key","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}

ImageUpdateAutomation yaml

apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImageUpdateAutomation
metadata:
  name: flux-system
  namespace: flux-system
spec:
  git:
    checkout:
      ref:
        branch: flux2
    commit:
      author:
        email: [email protected]
        name: flux2
      messageTemplate: '{{range .Updated.Images}}{{println .}}{{end}}'
    push:
      branch: flux2
  interval: 1m0s
  sourceRef:
    kind: GitRepository
    name: flux-system
  update:
    path: ./clusters/develop
    strategy: Setters

Possible reason

I searched for the string "not an encrypted key" in the project and found that there is a problem with the logic of checking ssh privatekey,the privatekey generated by ssh-keygen must not have a header Proc-Type.

{"Type":"PRIVATE KEY","Headers":{},"Bytes":"MC4CAQAwBQYDK2VwBCIEIDoJ9G/UwI5GZU+DYKN1eBoVAAd44R9GdhGI164dL9T3"}

GOPATH/pkg/mod/golang.org/x/[email protected]/ssh/keys.go:1150

func ParseRawPrivateKeyWithPassphrase(pemBytes, passphrase []byte) (interface{}, error) {
	block, _ := pem.Decode(pemBytes)
        ...
	if !encryptedBlock(block) || !x509.IsEncryptedPEMBlock(block) {
		return nil, errors.New("ssh: not an encrypted key")
	}
        ...
}

func encryptedBlock(block *pem.Block) bool {
	return strings.Contains(block.Headers["Proc-Type"], "ENCRYPTED")
}
@zhongyiio
Copy link
Author

It is not always so easy as described in the other answers. It works only with the old PEM keys. New openssh format of the keys (generated with -o option, more secure, since openssh-6.5) looks the same if you check the headers:

ssh-keygen -t rsa -N 'super secret passphrase' -f test_rsa_key -m PEM

https://newbedev.com/how-to-check-if-an-ssh-private-key-has-passphrase-or-not

@pjbgf pjbgf mentioned this issue Jan 25, 2022
Closed
@pjbgf pjbgf mentioned this issue Feb 8, 2022
Merged
@pjbgf
Copy link
Member

pjbgf commented Mar 22, 2022

The image-automation controller version v0.21.0 upgrades out libgit2 implementation to version 1.3.0 which should resolve this issue.

This will require a redeploy of all components so I would recommend doing so via flux bootstrap using the flux cli version v0.28.0 which will be released tomorrow.

Can you test it again with the version above and let us know how you get on please?

@pjbgf pjbgf mentioned this issue Mar 29, 2022
Closed
35 tasks
@pjbgf
Copy link
Member

pjbgf commented May 3, 2022

Closing due to lack of activity. If the issue is still taking place, please comment again on the thread and I will re-open it.

@pjbgf pjbgf closed this as completed May 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pjbgf @zhongyiio