Improve error message for encrypted SSH keys without password

Detect encrypted SSH identity keys early in getAuthOpts() by parsing
with ssh.ParseRawPrivateKey and checking for PassphraseMissingError.
When detected, return a clear error pointing the user to add the
'password' field to their Secret instead of the misleading
"SSH agent requested but SSH_AUTH_SOCK not-specified" message.

Fixes #802

Signed-off-by: Ogulcan Aydogan <ogulcanaydogan@hotmail.com>

Author: ogulcanaydogan

internal/controller/gitrepository_controller.go

@@ -33,6 +33,7 @@ import (
 	"github.com/fluxcd/pkg/runtime/logger"
 	"github.com/fluxcd/pkg/runtime/secrets"
 	"github.com/go-git/go-git/v5/plumbing/transport"
+	ssh "golang.org/x/crypto/ssh"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -651,6 +652,21 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 		return nil, e
 	}
 
+	// Check if SSH identity key is encrypted but no password was provided.
+	if opts.Transport == git.SSH && len(opts.Identity) > 0 && opts.Password == "" {
+		_, err := ssh.ParseRawPrivateKey(opts.Identity)
+		var missingErr *ssh.PassphraseMissingError
+		if errors.As(err, &missingErr) {
+			e := serror.NewGeneric(
+				fmt.Errorf("SSH identity key is encrypted but no 'password' field was provided in the secret '%s/%s'",
+					obj.GetNamespace(), obj.Spec.SecretRef.Name),
+				sourcev1.AuthenticationFailedReason,
+			)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+			return nil, e
+		}
+	}
+
 	// Configure provider authentication if specified.
 	var getCreds func() (*authutils.GitCredentials, error)
 	switch provider := obj.GetProvider(); provider {