feat(ssh): add support for configurable SSH key algorithm and improve key handling

janikvonrotz · janikvonrotz · commit d46802c670ea · 2025-11-13T19:42:04.000+01:00
diff --git a/images/odoo/README.md b/images/odoo/README.md
@@ -117,6 +117,7 @@ services:
       GIT_AUTHOR_EMAIL: you@example.com
       GIT_SSH_PUBLIC_KEY: "ssh-ed25519 BBBBC3NzaC1lZDI1NTE5BBBBIDR9Ibi0mATjCyx1EYg594oFkY0rghtgo+pnFHOvAcym Mint-System-Project-MCC@github.com"
       GIT_SSH_PRIVATE_KEY: "LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLQpiM0JsYm5OemFDMXJaWGt0ZGpFQUFBQUFCRzV2Ym1VQUFBQUVibTl1WlFBQUFBQUFBQUFCQUFBQU13QUFBQXR6YzJndFpXClF5TlRVeE9RQUFBQ0EwZlNHNHRKZ0U0d3NzZFJHSU9mZUtCWkdOSzRJYllLUHFaeFJ6cndITXBnQUFBS2k1WkJhRnVXUVcKaFFBQUFBdHpjMmd0WldReU5UVXhPUUFBQUNBMGZTRzR0SmdFNHdzc2RSR0lPZmVLQlpTks0SWJZS1BxWnhSenJ3SE1wZwowQkFnTT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg=="
+      SSH_ID_ALGORITHM: id_ed25519 
       GITHUB_USERNAME: bot-mintsys
       GITHUB_PAT: *****
       GITLAB_URL: https://gitlab.com
@@ -367,6 +368,7 @@ The image can clone git repositories.
 - `GIT_AUTHOR_EMAIL: Set user email global git config.
 - `GIT_SSH_PUBLIC_KEY`: Public key for SSH connection.
 - `GIT_SSH_PRIVATE_KEY`: Base64 encoded private key for SSH connection: `cat ~/.ssh/id_ed2551 | base64 -w0`
+- `SSH_ID_ALGORITHM`: Filename and algorithm of the SSH key file. Default is `id_ed25519`
 - `GITHUB_USERNAME` GitHub username for https git clone and archive download.
 - `GITHUB_PAT`: GitHub access token for https git clone and archive download.
 - `GITLAB_URL`: Url of GitLab instance. Default is `https://gitlab.com`.
diff --git a/images/odoo/bin/add-ssh-key b/images/odoo/bin/add-ssh-key
@@ -2,12 +2,13 @@
 set -e
 
 if [[ -n "$GIT_SSH_PRIVATE_KEY" ]]; then
-    mkdir -p ~/.ssh
-    chmod 700 ~/.ssh
+    key_filename="${SSH_ID_ALGORITHM:=id_ed25519}"
+    mkdir -p "$HOME/.ssh"
+    chmod 700 "$HOME/.ssh"
     log-entrypoint 'Add SSH key from env var.'
     decoded_git_ssh_private_key=$(echo -e "$GIT_SSH_PRIVATE_KEY" | base64 -d)
-    echo "$decoded_git_ssh_private_key" > ~/.ssh/id_ed25519
-    chmod 600 ~/.ssh/id_ed25519
+    echo "$decoded_git_ssh_private_key" > "$HOME/.ssh/$key_filename"
+    chmod 600 "$HOME/.ssh/$key_filename"
     eval "$(ssh-agent -s)"
-    ssh-add ~/.ssh/id_ed25519 || (echo 'Dumping ~/.ssh/id_ed25519 content:' && cat ~/.ssh/id_ed25519)
+    ssh-add "$HOME/.ssh/$key_filename" || (echo "Dumping $HOME/.ssh/$key_filename content:" && cat "$HOME/.ssh/$key_filename")
 fi
diff --git a/images/odoo/bin/clone-git-addons b/images/odoo/bin/clone-git-addons
@@ -9,8 +9,11 @@ if [[ -n "$ADDONS_GIT_REPOS" ]]; then
     git_clone_depth="${GIT_CLONE_DEPTH:="999"}"
 
     # Setup git SSH key
+    mkdir -p "$HOME/.ssh"
+    chmod 700 "$HOME/.ssh"
     add-ssh-key
 
+
     # Make every git directory a safe directory
     git config --global --add safe.directory '*'
 
@@ -32,7 +35,7 @@ if [[ -n "$ADDONS_GIT_REPOS" ]]; then
         git_path=$(parse-url "$git_url" path | sed 's/.git//g')
         git_local_path="$local_path/${git_hostname}/$git_path"
 
-        ssh-keyscan -t rsa,dsa "$git_hostname" > ~/.ssh/known_hosts 2>/dev/null
+        ssh-keyscan -t rsa,dsa "$git_hostname" > "$HOME/.ssh/known_hosts" 2>/dev/null
 
         if [[ ! -d "$git_local_path/.git" ]]; then
 
diff --git a/images/odoo/bin/remove-ssh-key b/images/odoo/bin/remove-ssh-key
@@ -2,11 +2,13 @@
 set -e
 
 if [[ -n "$GIT_SSH_PRIVATE_KEY" ]]; then
+    key_filename="${SSH_ID_ALGORITHM:=id_ed25519}"
+
     log-entrypoint 'Remove SSH key from env var.'
     if grep -u "$(id -u)" ssh-agent > /dev/null; then
-        if [[ -f ~/.ssh/id_ed25519 ]]; then
-            ssh-add -d ~/.ssh/id_ed25519 2>/dev/null || true
+        if [[ -f "$HOME/.ssh/$key_filename" ]]; then
+            ssh-add -d "$HOME/.ssh/$key_filename" 2>/dev/null || true
         fi
     fi
-    rm -f ~/.ssh/id_ed25519
+    rm -f "$HOME/.ssh/$key_filename"
 fi
