"Unable to extract public key from private key" for ed25519 & libgit2

[squaremo]

While trying to reproduce fluxcd/image-automation-controller#186, I found that source-controller also seems not to be able to use ed25519 keys.

Steps to reproduce:

1. install flux in a cluster (a vanilla bootstrap or install will do)
2. create an ed25519 git secret (any repository URL you own (including one created by bootstrap) will do):

flux create secret git --ssh-key-algorithm=ed25519  --url=ssh://git@github.com/squaremo/flux-example edie

3. create a git source that uses the secret and specifies libgit2:

flux create source git flux-eg --url ssh://git@github.com/squaremo/flux-example --secret-ref=edie --branch=main --git-implementation=libgit2

You may want to install the deploy key at the repo, but I don't think it's necessary to do so to reproduce the problem.

In the GitRepository status I see this message --

unable to clone 'ssh://git@github.com/squaremo/flux-example', error: Failed to authenticate SSH session: Unable to extract public key from private key

[hiddeco]

This may be a triangular issue around "SSH authentication" in general, see: fluxcd/flux2#1593 and #397

[darkowlzz]

Hi, I've been testing the on going libgit2 changes in #437 and tried to reproduce this issue. I can confirm that this issue gets resolved with the new libgit2 and its dependencies.
Followed the same instructions to reproduce with my own repo, added the deploy key and was able to clone:

GitRepository details:

apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
  creationTimestamp: "2021-09-28T19:19:55Z"
  finalizers:
  - finalizers.fluxcd.io
  generation: 1
  name: podinfo
  namespace: flux-system
  resourceVersion: "13668630"
  uid: b6d35c84-3c24-43e4-8941-49d460f04bfb
spec:
  gitImplementation: libgit2
  interval: 30s
  ref:
    branch: master
  secretRef:
    name: ssh-ed25519-creds
  timeout: 20s
  url: ssh://git@github.com/darkowlzz/podinfo
status:
  artifact:
    checksum: fa7a0347e046eab3dd768998fc9252b2c0dd5aef
    lastUpdateTime: "2021-09-28T19:20:00Z"
    path: gitrepository/flux-system/podinfo/627d5c4bb67b77185f37e31d734b085019ff2951.tar.gz
    revision: master/627d5c4bb67b77185f37e31d734b085019ff2951
    url: http://source-controller.flux-system.svc.cluster.local./gitrepository/flux-system/podinfo/627d5c4bb67b77185f37e31d734b085019ff2951.tar.gz
  conditions:
  - lastTransitionTime: "2021-09-28T19:20:00Z"
    message: 'Fetched revision: master/627d5c4bb67b77185f37e31d734b085019ff2951'
    reason: GitOperationSucceed
    status: "True"
    type: Ready
  observedGeneration: 1
  url: http://source-controller.flux-system.svc.cluster.local./gitrepository/flux-system/podinfo/latest.tar.gz

This was tested on a raspberry pi arm k3s cluster.

Tried the same with the latest release ghcr.io/fluxcd/source-controller:v0.15.4 and got the following error:

{"level":"error","ts":"2021-09-28T19:36:19.036Z","logger":"controller.gitrepository","msg":"Reconciler error","reconciler group":"source.toolkit.fluxcd.io","reconciler kind":"GitRepository","name":"podinfo","namespace":"flux-system","error":"unable to clone 'ssh://git@github.com/darkowlzz/podinfo', error: Failed to authenticate SSH session: Unable to extract public key from private key."}

[squaremo]

I can confirm that this issue gets resolved with the new libgit2

Can we have a unit test to detect regressions?

[darkowlzz]

Added a test for this in #445 along with some necessary improvements based on the behavior of the test 🙂 .

[hiddeco]

The latest release of the source-controller (v0.16.0) and image-automation-controller (v0.15.0) contains libgit2 linked against OpenSSL and LibSSH2, which based on my research and extensive testing, should solve most issues around private key formats.