feat: add env var for ssh private key

[DanielleMaywood]

Closes #333

Allow passing a base64 encoded ssh private key to ENVBUILDER_GIT_SSH_PRIVATE_KEY_BASE64 and using this for git authentication.

[mafredri]

I think we should also have an integration test to confirm that this works as expected. Perhaps also validating the behavior when both file and base64 is given.

[mafredri]

It might be worth thinking about what the behavior should be if both key path and key base64 is given. Do we exit immediately (invalid input)? Do we prefer one over the other? How do we inform the user?

[johnstcn]

To be honest, I think we should error if both are provided. Removes any ambiguity.

[DanielleMaywood]

Agreed with erroring, have made that change 👍

[mafredri]

Suggested change

	Description: "SSH private key to be used for Git authentication.",
	Description: "Base64 encoded SSH private key to be used for Git authentication. This option takes precedence over the private key path option.",

The "This option takes ..." is just there for completeness, may be rewritten depending on how the final implementation turns out.

[DanielleMaywood]

As we error on having both provided, do we document this in both of the descriptions?

[johnstcn]

Yep, we should be explicit that both options are mutually exclusive.

[DanielleMaywood]

Have documented this now 👍

[johnstcn]

I think we should also have an integration test to confirm that this works as expected. Perhaps also validating the behavior when both file and base64 is given.

There's a test SSH server implementation you can probably re-use here: https://github.com/coder/terraform-provider-envbuilder/blob/main/internal/provider/git_test.go#L85

[mafredri]

There's a test SSH server implementation you can probably re-use here: coder/terraform-provider-envbuilder@main/internal/provider/git_test.go#L85

Yep, that should work. I believe only the PublicKeyHandler implementation needs to be updated to reject/accept the key.

[johnstcn]

Once we have an integration test, this will be good to go! 👍

[DanielleMaywood]

I've added an integration test. It works similar to the existing tests in git_test.go. Rather than checking it has worked without error (as the current git ssh server impl doesn't appear to work properly), it instead checks that the error is one that comes after auth has ran.

envbuilder/git/git_test.go

Lines 266 to 268 in 58ac15f

	// TODO: ideally, we want to test the entire cloning flow.
	// For now, this indicates successful ssh key auth.
	require.ErrorContains(t, err, "repository not found")

[murrayju]

I've found that this works, but I couldn't find an example anywhere, so it took a very long time to figure out. Sharing in case this helps someone like me in the future:

locals {
  # ...
  envbuilder_env = {
    # ...
    "ENVBUILDER_GIT_SSH_PRIVATE_KEY_BASE64" : base64encode(data.coder_workspace_owner.me.ssh_private_key),
  }
  # Convert the above map to the format expected by the docker provider.
}

[johnstcn]

Thanks for the heads-up @murrayju ! I've added a PR to document this feature.

#442

[murrayju]

Thanks, that looks helpful. In particular, I was using this coder template. I'd suggest that this template should be updated to include this config, so that private repos can be used.