Improve error message for encrypted SSH keys without password

When a password-protected SSH private key is provided without the
'password' field in the Secret, the error message was misleading:
"SSH agent requested but SSH_AUTH_SOCK not-specified"

This change detects encrypted SSH keys early by attempting to parse
the identity with ssh.ParseRawPrivateKey and checking for
PassphraseMissingError. When detected, a clear error is returned
pointing the user to add the 'password' field to their Secret.

Fixes #802

Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>

Author: ogulcanaydogan

internal/controller/gitrepository_controller.go

@@ -33,6 +33,7 @@ import (
 	"github.com/fluxcd/pkg/runtime/logger"
 	"github.com/fluxcd/pkg/runtime/secrets"
 	"github.com/go-git/go-git/v5/plumbing/transport"
+	ssh "golang.org/x/crypto/ssh"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -651,6 +652,22 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 		return nil, e
 	}
 
+	// Check if SSH identity key is encrypted but no password was provided.
+	if opts.Transport == git.SSH && len(opts.Identity) > 0 && opts.Password == "" {
+		if _, err := ssh.ParseRawPrivateKey(opts.Identity); err != nil {
+			var missingErr *ssh.PassphraseMissingError
+			if errors.As(err, &missingErr) {
+				e := serror.NewGeneric(
+					fmt.Errorf("SSH identity key is encrypted but no 'password' field was provided in the secret '%s/%s'",
+						obj.GetNamespace(), obj.Spec.SecretRef.Name),
+					sourcev1.AuthenticationFailedReason,
+				)
+				conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+				return nil, e
+			}
+		}
+	}
+
 	// Configure provider authentication if specified.
 	var getCreds func() (*authutils.GitCredentials, error)
 	switch provider := obj.GetProvider(); provider {