Merge 566bbe6e00 into fa7cd5f847

cmd/flux/bootstrap_git.go

@@ -364,6 +364,9 @@ func getAuthOpts(u *url.URL, caBundle []byte) (*git.AuthOptions, error) {
 			Password:  gitArgs.password,
 		}
 		if bootstrapArgs.privateKeyFile != "" {
+			if strings.HasPrefix(bootstrapArgs.privateKeyFile, "~") {
+				return nil, fmt.Errorf("failed to open private key file: path %q starts with '~' which is not expanded; use an absolute path or $HOME", bootstrapArgs.privateKeyFile)
+			}
 			pk, err := os.ReadFile(bootstrapArgs.privateKeyFile)
 			if err != nil {
 				return nil, err

cmd/flux/create_secret_git_test.go

@@ -56,6 +56,11 @@ func TestCreateGitSecret(t *testing.T) {
 			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",
 			assert: assertError("user credentials and bearer token cannot be used together"),
 		},
+		{
+			name:   "ssh key with tilde path",
+			args:   "create secret git podinfo-auth --url=ssh://git@github.com/stefanprodan/podinfo --private-key-file=~/.ssh/id_ecdsa --namespace=my-namespace --export",
+			assert: assertError(`failed to open private key file: path "~/.ssh/id_ecdsa" starts with '~' which is not expanded; use an absolute path or $HOME`),
+		},
 	}
 
 	for _, tt := range tests {

pkg/manifestgen/sourcesecret/sourcesecret.go

@@ -27,6 +27,7 @@ import (
 	"net"
 	"os"
 	"path"
+	"strings"
 	"time"
 
 	cryptssh "golang.org/x/crypto/ssh"
@@ -321,6 +322,10 @@ func LoadKeyPairFromPath(path, password string) (*ssh.KeyPair, error) {
 		return nil, nil
 	}
 
+	if strings.HasPrefix(path, "~") {
+		return nil, fmt.Errorf("failed to open private key file: path %q starts with '~' which is not expanded; use an absolute path or $HOME", path)
+	}
+
 	b, err := os.ReadFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open private key file: %w", err)